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Introducing Time-lapse View, 


a productivity feature of Perforce SCM. 


Time-lapse View lets developers see every edit ever made to a file in a 
dynamic, annotated display. At long last, developers can quickly find 
answers to questions such as: ‘Who wrote this code, and when?’ and 


‘What content got changed, and why?’ 


Time-lapse View features a graphical timeline that visually recreates 

the evolution of a file, change by change, in one fluid display. Color 

gradations mark the aging of file contents, and the display’s timeline 
can be configured to show changes by revision number, date, or 


changeset number. 


Time-lapse View is just one of the many productivity tools that come 
with the Perforce SCM System. 


Download a free copy of Perforce, no questions 
asked, from www.perforce.com. Free technical support is 
available throughout your evaluation. 


- Removes the hurdles between project 
planning and project implementation — 


DevPlan 


Use DevPlan to define project deliverables 


¢ Manage milestones, timelines, and resources 

¢ Attach designs, specifications, and 
requirements to create a fully conceptualized 
product before development work begins 

¢ Schedule events to co-ordinate resources, 
enforce deadlines, and drive deliverables 


Devirack 


Use Devirack to manage its implementation 

¢ Manage implementation items, changes, features, defects, 
and project issues using an action-based workflow 

¢ Track development work within the context of a project 
and associate work items to source code deliverables 

¢ Run configurable reports that can be published 
dynamically to the web 
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Spot the difference? From the first line of code, you'll see. Visual 
Studio® 2005 has over 400 new features that help you build data- 
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Developers building applications for service-oriented 
architectures often misjudge the risks involved. Tune in 
to ACM Queue’s Premium Queuecast as Wayne Ariola, 

vice president of corporate development for Parasoft, 
highlights some of the more common miscues associated with 
SOA and discusses best practices for building SOA applications. 
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MAKES YOU 
SUCCEED 


Charlene O’Hanlon, ACM Queue 


ome of my favorite childhood memories are of play- 

ing games with my sister—both structured games 

such as Monopoly or hopscotch and imagination- 
fueled games such as cops and robbers or roller derby 
girls (don’t ask). Regardless of whether the game had 
established regulations, often our play would devolve into 
what I call Calvinball, a term coined in the comic strip 
Calvin and Hobbes referring to the act of making up the 
rules as you go along. 

Our Calvinball play had some distinct advantages: 

It was a lot more fun to change the rules in the middle 
of the game. No one ever got bored. It allowed us to 
stretch our minds beyond the parameters of regular play. 
And—quite possibly the best advantage—everybody won 
in Calvinball. Of course, there was the occasional cry of, 
“Hey, that’s not fair!” but that person was quickly out- 
numbered if there were more than two players. 

Unfortunately (at least for me), life doesn’t work that 
way. Calvinball would never fly in the corporate environ- 
ment. Results are based on expectations, and expectations 
are based on rules. Things can get messy if that path is 
not followed. Rules and regulations bring a sense of order, 
and order has more of a place in the corporate world than 
in childhood games. 

Compliance is one very large way of imposing order 
and ensuring everyone plays by the same rules. Corporate 
financial shenanigans, most notably the Enron debacle a 
few years back, have brought on a plethora of new com- 
pliance regulations including the Sarbanes-Oxley Act of 
2002 (more commonly known as SOX) and Basel II (aka 
The New Accord, or its given name of the International 
Convergence of Capital Measurement and Capital Stan- 
dards—A Revised Framework). HIPAA (the Health Insur- 
ance Portability and Accountability Act of 1996), which 
was originally designed to protect employees from losing 
their health insurance coverage should they leave their 
jobs for any reason, has spawned a reformation of the 
health-care industry as it relates to privacy and protec- 
tion of a patient’s personal information. The HL7 (Health 
Level 7) standard developed by the organization of the 
same name is now the de facto standard for interfacing 
disparate health-related software systems. 
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Playing by the Rules 


The complex 


world of 


COMPLIANCE The impact of these 
compliance regulations 
and resulting standards has 
had a ripple effect through- 
out the entire corporate 
spectrum, from Fortune 500 companies to mom-and-pop 
shops. Developers and IT departments now must scru- 
tinize every application, purchase, and implementation 
with an eye toward compliance. IT budgets have been 
stretched to deal with myriad issues associated with 
becoming compliant. 

It’s not an easy task, but savvy IT managers can keep 
their organizations compliant while staying within the 
parameters of their budgets. The best developers can help 
make that seemingly impossible dream a reality. CIOs, on 
the other hand, are tasked with helping ensure success by 
providing both a workable budget and smart, dedicated 
people—a delicate balance at best. 

This issue of ACM Queue attempts to deal with compli- 
ance head-on, but admittedly only scratches the surface. 
Compliance generates subtopics like a rabbit generates 
bunnies, so if there is a compliance-related topic we 
haven't covered that you would like to read about, please 
let us know. 

On a totally unrelated note, this month’s issue also 
features the debut of a new monthly column devoted to 
technology outside the workplace. Geek@home explores 
how technologists can—and do—use their wares to 
improve their lives and the lives of those around them. 
Contributor Mache Creeger kicks things off with his 
internal argument over installing a terabyte server in his 
home. The column promises to be an interesting and 
mostly lighthearted read, and might even offer a few take- 
aways to spur you into action. Again, let us know what 
you think, and what you would like to read about. 

Keeping up with compliance is a difficult and consum- 
ing task. In this instance, however, I’d rather have real 
rules than Calvinball. Q 


CHARLENE O’HANLON, editor of ACM Queue, believes 
everyone could benefit from a good game of Calvinball. You 


can reach her via e-mail at cohanlon@acmqueue.com. 
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ANALYSIS & REVIEW 


The Greatest Software Testing Conference on Earth 


ANAHEIM, CA OCTOBER 16-20, 2006 


KEYNOTES BY INTERNATIONAL EXPERTS 


Harry Gary Loyd Roden JeanTabaka Johanna Bliss 


Robinson McGraw Grove Rally Software Rothman Captaris 
Google Cigital, Inc. Consultants Development Rothman 
Corporation —_—_ Consulting 
Group, Inc. 
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QUALITY | 
ENGINEERING 
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www.sgqe.com/starwest 
REGISTER EARLY AND SAVE $200! 


THE TESTING EXPO 
OCTOBER 18-19, 2006 


IN-DEPTH TUTORIALS structured in a daylong 
workshop format to provide practical, hands-on 
information about specific testing issues and challenges 


KEYNOTE SESSIONS given by international industry 
experts from a range of backgrounds on a variety of 
testing topics 


CONCURRENT SESSIONS packed with information 
covering critical testing issues giving new real-world 
approaches to solving them for the beginner to 
advanced testing professional 


EXPO EVENT provides the latest tools, products, and 
services from leading testing software and service 
vendors to give you the solutions you need 


Open Source Gets Mac Attack 

McAfee just published the inaugural issue of Sage, its 
semi-annual report on security threats. This first issue 
focuses on how malware developers use open source tools 
and methodologies. In one article, the authors describe 
how botnet developers share code to produce “produc- 
tion-grade malware.” The authors are careful not to indict 
the open source movement as a whole, but do state that 
open source is “a critical enabler for malware.” 

Some might respond that all malware is enabled by 
the tools and methodologies used to produce it (e.g., 
were not the numerous widespread VB worms enabled by 
closed source tools and methodologies?). But reading on, 
we arrive at what might be McAfee’s true point of con- 
cern. The report states that “perhaps the time has come 
to reevaluate beliefs about full disclosure and absolute 
adherence to the open source creed.” Opponents of full 
disclosure feel that the practice of publicizing vulnerabili- 
ties upon their discovery opens a window for malware 
authors to develop and deploy exploits, while proponents 
claim that making vulnerabilities public ensures their 
prompt attention. Consider the debate reinvigorated. 
WANT MORE? 
http://www.vnunet.com/vnunet/news/2160379/security- 
feels-pain-open-source 
http://www.mcafee.com/us/local_content/white_papers/ 
threat_center/mcafee_sage_v11_en.pdf 


Oh No, Not Another Consortium! 
While some groups are pressing on the brakes of the open 
source movement, others are pressing on the gas. The 
OMC (Open Management Consortium) has just sprung 
up to promote open source technologies within the broad 
domain of systems management. The field has long been 
dominated by huge companies such as IBM and HP. As 
such, systems management products typically have been 
expensive, heavyweight solutions geared toward equally 
large enterprises with longstanding vendor relationships. 
The OMC seeks to change this, pointing out that there 
is a whole segment of the industry, particularly those rely- 
ing on inexpensive commodity hardware, that could ben- 
efit from an open source systems management approach. 
While its software offerings might be a bit more mod- 
est, the OMC’s ambition is not. To accomplish its goals, 
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Taking a 
second look art the OMC seeks to redefine 
the systems management 
lexicon. In a blog entry on 
the OMC site, an author 


from configuration man- 


THE NEWS SO YOU 


DON’T HAVE TO 


agement software vendor 
Emu Systems claims that trying to find an appropriate 
product while sifting through all of the software catego- 
rized as systems management is “about as useful as if I 
were to challenge you to name the living creature I’m 
thinking of and only give you the clue that it is a member 
of the kingdom animalia.” This blogger feels that more 
precision in terminology will help customers navigate 
the systems management jungle while allowing vendors 
to better position their products. No argument there, but 
wrestling the language away from the marketeers might 
present an even greater challenge than that presented by 
the OMC’s entrenched business rivals. 
WANT MORE? 
http://news.com.com/Start-ups+team+to+push+open- 
source+boundaries/2100-7344_3-6096983.html 
http://open-management.com/ 


a 

Get That Chip out of My Drink 

As RFID technology matures, more and more industries 
are discovering new ways to benefit from it. The latest: 

a Miami company, Beverage Metrics, is banking on new 
software that uses RFID tags to track liquor inventory. 
Each bottle is tagged with an RFID-enabled switch that 
detects when a bottle is empty and then enters that bottle 
into the bar’s inventory system. Drinking establishments 
save money on inventory costs and bartenders are freed 
from the tedium of daily inventory. 

But don’t get too excited, mixmasters, as the switch 
also communicates with a bar’s POS system. Each pour 
from a bottle is registered and then reconciled with the 
appropriate ring-up. No ring-up? Then that drink that 
is “on the house” is really “on you.” The sensor on the 
bottle also records duration of each pour. This means no 
more stiff drinks for that curmudgeon at the end of the 
bar (and perhaps, no more weak drinks for the rest of us). 
WANT MORE? 
http://www.eweek.com/article2/0,1895,1986925,00. 
asp?kc=EWEWEMNLO71006EPW1A Q 


rants: feedback@acmqueue.com 


ne of the interesting things about WOYHD is seeing 

which tools developers seem to rely on most heavily. 
Despite the large amount of software available, a few 
core programs appear again and again. Even more intrigu- 


Who: Tom Cooper 
What industry: Human resources ASP 
Job title: Director of software architecture 
Flavor: Develops on Windows for 
Windows Server, Solaris 
Tool I love! Emacs. Well, OK, I lied. Eclipse 
is actually my favorite. But when I get 
a new machine, I put Emacs on it first. 
I have used it for several decades pretty 
much the same way: fast editing, keyboard 
macros, and occasional Emacs LISP programming. 
I still love to develop with Eclipse, but I gotta have 
Emacs around, too! 
Tool I hate! TOAD. My database developer colleagues 
are quite adept at it, but I find that compared with 
modern programming IDEs, these SQL 
tools are so archaic! What's that? A 28- 
character limit on identifiers? Yikes! 


Who: Salvatore Denaro 
What industry: Banking/Insurance/Finance/ 
Accounting 
Job title: Developer 
Flavor: Develops on Windows for Unix 
Tool I love! IntelliJ IDEA. Unlike most 
IDEs, it doesn’t overwhelm you with 
buttons and icons. It is there when you 
need it and stays away when you don’t. 
Ninety-five percent of the time it looks like 
a plain old text editor. 
Tool I hate! Visual Basic. It rewards you for bad 
design decisions, such as cut-copy-paste code trans- 
plants and putting business logic into the 
UI code, while making it hard to make 
good design decisions such as separating 
concerns and reuse. 
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What’s on Your 
Hard Drive? 


ing is that developers often dislike these very same tools. 
Read on to discover what others think about the software 
you depend on. Feel like expressing your own opinion? 
Log on to http://www.acmqueue.com! 


Who: Lucas McGregor 

What industry: Integration, data services, 

distribution 

Job title: Director of software 

Flavor: Develops on OS X for Linux 

Tool | love! NetBeans 5.0. It is a big 

improvement over the last version. It 

works intuitively with my existing CVS 

(Concurrent Versions System) and Ant 
setups rather than against them. It doesn’t 

force me to organize around its limitations as other 

IDEs do. 

Tool I hate! Visio 2003. I depend on Visio, but this 

version has been crippled. Many of the shortcut keys 

are gone and the basic but flexible widgets have been 

replaced with pretty but worthless versions. 

I always had to fight with Visio, but now 

I lose more often. 


Who: David Lewis 

What industry: Consulting and 

systems integration 

Job title: Developer 

Flavor: Develops on Windows for Linux (Ubuntu) 

Tool I love! Open Studio. I like developing 

in a nice IDE—with a RUN command. 

I can do all of my PHP, JavaScript, and 

HTML in one editor. The tabs for selecting 
open files are nice, and it’s relatively inde- 

pendent of my PHP and browser environments. 

Tool I hate! Vi. I loathe having to remember things 

(ID number, bank PINs, and keyboard shortcuts). 

I can edit only one file at a time. Having 

to exit the editor to run the file from the 

command line is also annoying. 
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PIs can change. Even the ones you’ve come to 

depend on over the years—the ones you thought 

were set in stone, indelible, immutable, pure. But 
fear not, because this month Kode Vicious offers his take 
on dealing with this most loathsome form of change. 
Encountered an equally annoying programming chal- 
lenge? Write to Kode Vicious at KV@acmqueue.com and 
vent until your heart’s content. 


ee 

Dear KV, 

I've been working on a software team that produces an 
end-user application on several different operating system 
platforms. I started out as the build engineer, setting up 
the build system, then the nightly test scripts, and now 
I work on several of the components themselves, as well 
as maintaining the build system. The biggest problem 
I’ve seen in building software is the lack of API stability. 
It’s OK when new APIs are added—you can ignore those 
if you like—and when APIs are removed I know, because 
the build breaks. The biggest problem is when someone 
changes an API, as this isn’t discovered until some test 
script—or worse, a user—executes the code and it blows 


up. How do you deal with constantly changing APIs? 
Changes 


Dear Changes, 

The best way to deal with change is to bury your head in 
the sand and ignore it. After all, we can all learn from the 
great management traditions of the past, and engineers 
are no exception to this. Hmm, perhaps not. 

What you point out is one of the biggest challenges in 
building large and complex systems. Software is amaz- 
ingly malleable, and that makes it possible (and, unfortu- 
nately, quite probable) that someone will make a change, 


Got a question for Kode Vicious? E-mail him at 
kv@acmqueue.com—if you dare! And if your letter 
appears in print, he may even send you a Queue coffee 
mug, if he’s in the mood. And oh yeah, we edit letters for 
content, style, and for your own good! 
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Facing the Strain 


A koder with 
attitude, kv ANswers 


often one that will break 
your system. What many 
engineers and program- 
mers don’t realize is that 
when they’re building a 
library, or really any component that others are supposed 
to depend on, the API becomes the contract between 
their code and everyone who uses it. 

As you point out, there are really three ways in which 
these contracts change. The first, adding an API, won’t 
affect your system because with no one to call it, the new 
API can’t really cause much damage. The second case, 
removing an API, results in an immediate error when 
your program is linked, either at compilation or runtime, 
so at least you notice this before trying to use the code. 
The last case is the one that will give you fits and night- 
mares because there are very few automated ways of find- 
ing an API that looks the same, but isn’t. At one place I 
worked we dubbed this “changative change” for want of a 
better phrase, or, it would seem, a decent technical writer. 

On one particular system about 80 percent of our 
problems were related to trying to reintegrate different 
subsystems. The problem, as you can imagine, grows 
quite quickly with the number of components involved. 
Two subsystems that depend on each other have at 
least one dependency, whereas four subsystems have six 
dependencies, and eight subsystems have 28, and so on. 
Testing all these possible combinations was referred to 
as the “matrix of pain.” Building up any sort of coherent 
system from a set of modules, all of which are changing, 
turns out to be very hard, but there are some solutions. 

Operating systems people have long known about 
this problem, so APIs that programs depend upon tend 
to change slowly or not at all. The basic open(), close(), 
read(), write() system calls in Unix and Unix-like operat- 
ing systems have taken the same arguments and returned 
the same types of values for 20-plus years. When subsys- 
tems are added, such as networking, new function calls 
are added as needed; hence, to open a network connec- 
tion you don’t call open(), because that would require 
changing its arguments and therefore all the code that 
already used it. Instead, you have the socket() system call 


YOUR QUESTIONS. 


MISS MANNERS HE AIN'T. 
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that takes different arguments but returns a value that is 
usable by read() and write(). Systems programmers also 
tend to narrowly define the set of functions they will 
provide because they know the nightmare of maintain- 
ing an arbitrarily wide set of APIs. FreeBSD, for example, 
has about 450 available system calls—that is, APIs that 
user programs call to get the OS to do something, such as 
read a file, open a socket, or find out the time. Although 


that number is not small, it is trackable and maintainable, 


whereas the number of APIs in the full set of Posix librar- 
ies or Microsoft Foundation Classes is far larger. 

Another trick that can be adopted from the systems 
programming world is ioctl(), or I/O control. Device 
driver writers can do most of the work using the simple 
open(), close(), read(), and write() semantics, because 
what most people want from a device is to open, or use 
it; read data from and write data to it; and then put it 
away, or close it. Unfortunately, it is often necessary to 
have device-specific controls that can be easily exported 
upward to the operating system—for example, to set a 
network device into promiscuous listening mode or to 
set its various address parameters. These special cases are 
where ioctl() is used. The ioctl() call has been used, and 
abused, over the years, but the basic design principle is a 
sound one. Always leave yourself an escape route. With 
an ioctl() interface you can add nearly any extra com- 
mand to your subsystem without breaking backwards 
compatibility or even adding a new function call. 

Lastly, there is discipline, which some people very 
much enjoy, but this is not that kind of magazine. What 
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I actually mean is that there has to be a decision made 
about how changes are introduced into a system. Chang- 
ing things fast seems to be in vogue at the moment; 

the so-called extreme programming methodology is an 
example of this. Fast changes work when no one but you 
or your team has your code, but eventually other people 
will be using it and that’s when the trouble starts. Many 
engineers simply decide that at some point an API is set 
in stone and has too many callers to change, and so any 
changes require new APIs. 

Unfortunately, I doubt I’ve solved your real problem, 
because unless you and your team write everything from 
scratch, you will be at the mercy of people who can, 
and will, cause you headaches. My only other advice is 
that your team use the smallest number of external APIs 
possible and not too many new or advanced features, as 
those are the ones mostly likely to change. 

KV 


KODE VICIOUS, known to mere mortals as George V. 
Neville-Neil, works on networking and operating system 
code for fun and profit. He also teaches courses on various 
subjects related to programming. His areas of interest are 
code spelunking, operating systems, and rewriting your bad 
code (OK, maybe not that last one). He earned his bachelor’s 
degree in computer science at Northeastern University in 
Boston, Massachusetts, and is a member of ACM, the Usenix 
Association, and IEEE. He is an avid bicyclist and traveler who 
has made San Francisco his home since 1990. 
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Mache Creeger, Emergent Technology Associates 


ith 1 TB of RAID 5 storage, most of my friends 
Wee: I have really gone off the deep end with 

my home server. They may be right, but as in most 
things in life, I have gotten to this point through a ratio- 
nal set of individual upgrades all perfectly reasonable at 
the time. Rather than being overly indulgent to my inner 
geek, am I an early adopter of what will be the inevitable 
standard for home IT infrastructure? Here is my story; 
you be the judge. 


A SIMPLE ROUTER 

Eight years ago, my employer at the time graciously 
funded cable-modem broadband Internet service at my 
home so I could work from there. The base service sup- 
ported only one PC. Because my wife and son each had 
a PC, I needed a way to share Internet access—a router 
to share Internet service and a home LAN to distribute 
network traffic. 

Using PC parts, I assembled a router out of an old 
486 computer with two Ethernet cards. I loaded Red Hat 
Linux 5.1 and configured ipchains for NAT (Network 
Address Translation). Everything was linked up to a 
10BaseT hub. What resulted was a forerunner of the retail 
appliance-based router/switches available today from 
companies such as Linksys and D-Link. 


SERIOUS INTERNAL INFRASTRUCTURE 

Feature creep inevitably occurred. Since the server ran a 
general-purpose operating system continuously, it seemed 
reasonable to add more infrastructure functions. I config- 
ured Samba to make server storage accessible to the PCs 
on the LAN and increased disk capacity. On a roll, I then 
added MAC-based static allocation of DHCP addresses 

for the LAN PCs, along with a caching DNS and an NTP 
(Network Time Protocol) server. 

It became more and more evident that I needed better 
security, so I incrementally enhanced the script for my 
ipchains (and later iptables) to provide the functions of 
a serious firewall. Starting with a base-level script that I 
found on the Internet, I continually tinkered, squeezing 
out more and more functionality. The script’s size bal- 
looned to 23 pages. 
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Rationalizing a 
Home Terabyte Server 


Self-indulgent, 

OR A VIEW OF 

SECO CURED MAKING THE SERVER 
INTERNET ACCESSIBLE 


Next I focused on making 
the server accessible from 
the outside Internet. The 
WAN IP address was allocated dynamically from the ISP 
via DHCP, and it changed frequently. When traveling, 
I needed a way to access LAN resources at home from 
my laptop over the Internet. I wanted a fully accessible 
Web server, an FTP upload and download server, and the 
ability to use Symantec’s pcAnywhere to directly control 
LAN-attached PCs (mostly to fix the regular disasters that 
occurred on my wife’s and son’s machines). 
By placing a small DDNS (dynamic DNS) client on the 
server, I had a DNS name guaranteed always to resolve 
to the current server IP address. I installed the Apache 
Web server, the vsftpd (very secure FTPD) FTP server, 
and modified the iptables firewall script to port forward 
pcAnywhere traffic to its corresponding LAN-based PC. 


OFFLOADING TO A ROUTER APPLIANCE 

At this point, I had a miniature version of what a small to 
medium-size company would use for its IT infrastructure 
without the requisite full-time staff. Keeping the server 
configured and updated properly became more and more 
of a challenge. Software and hardware upgrades inevitably 
brought misconfigurations and other random problems. 
System crashes brought my wife and son into my office to 
glare at me as I feverishly worked to bring the server and 
our Internet access back online. 

After the requisite number of kicks in the head from 
my family, my next effort was to offload some of the 
server’s mission-critical functions onto a retail router/ 
switch appliance. I purchased a Linksys wireless router 
and replaced its firmware with a third-party version 
expanding overall functionality. Now I had much of the 
router and iptables firewall functionality residing on a 
small, low-power device that was easier to maintain. FTP, 
Web, and Samba services remained on the server. 


X10 CONTROL OF CHILD DISTRACTIONS 


All my good efforts to provide my wife and especially my 
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son a rich computational environment were now being 
recognized. Given that my son had his own computer 
and a broadband Internet connection, he was very 
quickly becoming addicted to video games and random 
Internet browsing. 

In her own sweet way, my wife explained to me that I 
needed to correct this problem quickly. More technology 
was needed to correct the problem of too much technol- 
ogy for my son. Using X10 lighting and appliance control 
modules, I set up password-protected and Web-enabled 
controls that cut video to the TVs and power to my son’s 
computer on command and/or on a predefined schedule. 
Domestic harmony was soon back in balance. 


IMPLEMENTING MYTHTV 

My family then asked to be able to record and play back 
TV shows using Tivo. I did not want to pay for a Tivo unit 
and subscription and felt it was duplicated in what I had 
built in my home server. At that point I had two 200 GB 
drives of storage formatted in a striped disk array (RAID 

0) and many files shared between all the machines on the 
LAN. I had upgraded the hardware multiple times and 
currently had an AMD Athlon XP 2200+ running with 
757 MB of memory. 


I added more disks to the server, bringing the total 
number of 200 GB drives to six for a total of 1 TB of 
formatted RAID 5 storage. I added a used Nvidia FX 5500 
graphics card and a new Hauppauge WinTV-PVR-500 
video capture card. Then I installed MythTV. 

Surprisingly, installing MythTV was relatively easy. 
Precompiled packages were available on public reposito- 
ries, and Web-based step-by-step instructions were readily 
available. It took me one weekend from start to finish. 
With MythTV’s free EPG (electronic programming guide) 
from Zap2it.com, my wife and son have a user-friendly 
Web interface in which to record TV and play back video 
on either a computer or a specific TV channel. With 
recording done at approximately 2 GB per hour, 1 TB 
seems to be an adequate amount of storage for home use, 
with approximately one-half of the available space in use 
at the time of this writing. The interface has a rich set of 
recording semantics, so my wife and son can capture as 
many of their favorite shows as they want. With two tun- 
ers, the PVR-500 rarely experiences conflicts in recording 
selections. 


SO, AM 1 CRAZY? 


Am I being self-indulgent, or is this a view of the world 
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to come? Clearly, during my odyssey I discovered a need 
for sharing broadband Internet access through a router. 
This has been validated by the router/switch appliance 
marketplace. What else have I discovered? 
¢ Home IT services that are not defined by what you find 
in a commercial IT environment. In this regard I would 
say that while I found value in a home FTP and Web 
server, its value to the overall family has been minimal. 
¢ X10 control over video and outlet power to my son’s 
computer has clearly been a big hit with my wife. 
My son hates it. It clearly addresses a common need 
for families with children and PC/TV management 
problems. We have since shown the system to several 
friends, who especially like the password-protected, 
browser-based GUI that is accessible both on the inter- 
nal LAN or from any point on the Internet. No one, 
however, has attempted to replicate my efforts because 
of its perceived overall complexity. 
¢ MythTV video capture and playback has also been a big 
hit. My son and wife are now confirmed viewers of non- 
time-based TV content. 
What projects will I attempt next? 
e An IPsec (IP security) gateway to allow my laptop to log 
in from the Internet as a peer computer on my LAN. 


phenomenal” 
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¢ The integration of all telephone services into a single 
gateway to include POTS (plain old telephone service) 
and VoIP (voice over IP). 
So, is there a reason for a home server? I believe there 
is. Stripping away the mountains I climbed because I 
could from the mountains I climbed to provide value 
to my family, I have recognized that home IT services 
are not a replication of commercial ones. Services such 
as Internet broadband sharing, X10 power and video 
control, and MythTV are all viable utilities for my family. 
So the answer to my previous question is that my server is 
both self-indulgent and a view of what may occur in the 
future. But make no mistake, if it weren’t self-indulgent, it 
would not have been anywhere near as fun. Q 
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Compliance 


Blowing it off 
is not an option. 


compliance is boring. Really, 

really boring. And besides, I 

work neither in the financial 
industry nor in health care. Why should I care about 
SOX and HIPAA?” 

Yep, you're absolutely right. You write payroll applica- 
tions, or operating systems, or user interfaces, or (heaven 
forbid) e-mail servers. Why should you worry about 
compliance issues? 

Compliance is about that most boring and incompre- 
hensible topic: laws and regulations. And it’s not all that 
well defined. Compliance encompasses everything from 
making sure that personal finance information doesn’t 
fall into the wrong hands to enforcing sexual harassment 
policies. 

There are a few of us who can blow off this topic. 
Some of us really do write screen-saver software that 
doesn’t interact with anything else. 1 know one guy who 
builds robotic toys, which have safety concerns, but not 
compliance issues, in the sense of this article at least. Many 
researchers need their code to run only long enough to 
get their theses written, at which point the code can go 
to the great bit-bucket in the sky. Most of us, however, do 
have to worry about compliance. 

Be you an application programmer, systems developer, 
or systems administrator, you're probably going to run up 
against compliance sooner or later. Probably sooner. 


MOST OF US LIVE IN THE REAL WORLD 

It’s often said that writing software would be so much 
easier if only we didn’t have to deal with users. And so 
it is. The reality, however sad it may be, is that most of 
us must or want to write software that works in some- 


ERIC ALLMAN, SENDMAIL 


Compliance 


thing like the “real” world. Open source? Well, why open 
source your code in the first place if you don’t expect 
other people to use it?—and you can’t predict how they 
are going to use it. Mail programs, operating systems, 
network stacks, application libraries? They might (read: 
will) be used in the financial industry, healthcare, govern- 
ment, you name it (that is, if you succeed; if you plan on 
everything you do failing, you can ignore all of this). That 
means you should know at least the basics. 

A good rule of thumb is probably this: If your code 
might be used in a business setting and will ever directly 
or indirectly interact with the public, or if it will be used 
by a company in a regulated industry or by a publicly 
traded company, you will probably need to come to grips 
with compliance. This is interpreted broadly; for example, 
authentication and authorization modules will probably 
be impacted even though they don’t explicitly manipu- 
late business data, since they can be used in a sensitive 
context. There are the obvious cases, of course: If you are 
writing financial applications, you will need to com- 
ply with SEC regulations; if your application manages, 
processes, stores, or in any way touches business-sensi- 
tive data for a public company in the United States, you 
must pay attention to SOX (Sarbanes-Oxley Act of 2002); 
if your application will be run in Europe, you should be 
aware of appropriate EC (European Commission) regula- 
tions; there are international accords such as Basel II pro- 
viding capital regulations for the banking industry; health 
patient record management systems need to comply with 
HIPAA (Health Insurance Portability and Accountability 
Act); and so forth down the line. 

Suppose that you write a database library. Financial 
and health records are maintained in databases, so you 
probably need to think about how to achieve compli- 
ance across multiple regulations. If you work on anything 
related to communications—whether networking, e-mail, 
instant messaging, or Web applications—your code will 
probably be used to transfer sensitive data at some point. 


COMPLIANCE COMPONENTS 

What do you have to worry about if you are writing 
software that might someday, somehow be used in a 
regulated company? 

Privacy. One of the most basic elements of compliance 
regulations is to keep private records private. It’s almost 
impossible to open a newspaper these days without 
reading about some organization that has had data lost 
or stolen. Besides creating compliance problems, these 
incidents are expensive and embarrassing for the organi- 
zation. 
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Information to be kept private includes account 
numbers, social security numbers, financial data (account 
balances, etc.), data on treatments and prescriptions, 
financial vehicles, addresses and phone numbers, you 
name it. Perhaps a good metric would be to ask yourself, 
“Would I mind if this data were published about me? 
Would my friends mind if it were about them? Would it 
help someone who was trying to steal my identity?” 

Just to make things extra complex, the privacy regula- 
tions vary from place to place, occasionally in incom- 
patible ways. There’s more than just the U.S. federal 
government to consider. Some states have local laws, and, 
of course, the European Union has its own regulations. 
For example, The Times (June 10, 2006) reported that the 
Equal Opportunities Commission in the U.K. advised 
that all companies need to scan e-mail for possible sexual 
harassment. 

Examples of issues to think about include: 
¢ Am I storing data that I don’t really need to store? 
¢ Am I encrypting all the data that I really do need to 

store? 
¢ Have I taken adequate precautions to ensure that only 
people with proper authorization can access this data? 
¢ Are my backups encrypted? 

Accountability. Companies are held accountable for 
inappropriate use of data or systems. For example, there 
was a case where analysts at a large financial house were 
working in concert with the traders at the same company 
to “pump and dump” certain stocks. An e-mail paper trail 
showed that some analysts had been publicly touting a 
particular stock while privately referring to it as “a dog.” 
The point is not that you should never save your e-mails 
so that you can’t be caught, but rather to make sure the 
trouble doesn’t occur in the first place. Many compa- 
nies have created “Chinese Walls” to prevent people on 
opposite sides of the house from exchanging sensitive 
information. 

Auditability. Increasingly, regulators are demand- 
ing that information systems leave a virtual paper trail 
of everything they do in the event that information 
does leak. For example, many financial institutions are 
required to keep copies of everything that goes in and out 
of the company: physical mail, e-mail, instant messages, 
recordings of telephone calls, etc. 

If information does leak, you want to know who 
leaked it and how broadly it was disseminated. You also 
have to work on the assumption that some employees are 
acting inappropriately, either through ignorance or mali- 
cious intent; it’s important to be able to find them and 
train them or fire them, as appropriate for the transgres- 
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sion. An audit trail can also be useful to protect yourself: 
If you find yourself in court having to assure a jury that 
you did not e-mail a hot stock tip to a customer, you want 
a complete record of all the e-mail that you did send. 

It’s worth pointing out that auditability does not mean 
“retain all data forever.” Besides being impractical, this 
can have policy and legal implications. Instead of delet- 
ing data randomly, however, a company should have a 
clear retention policy that gets followed throughout the 
organization. 

Policies. Companies should have clear, written policies 
for how data is handled. Of course, it’s not your job to 
create or write those policies, but it is your job to make 
sure that your code can adapt to different policies from 
different companies. 


Being able to 
document what you do 
is often more important than 


what you document. 


Some of these policies may transcend the obvious 
regulations. Some companies have been successfully sued 
because their e-mail systems were used to convey material 
that was considered to be sexual harassment. This means 
that companies increasingly want to scan internal mail 
for words that might indicate a problem. For example, 
e-mails with the words [deleted —ed.], [deleted], or [deleted] 
probably shouldn’t be transmitted through corporate e- 
mail—and it’s the job of the e-mail system to catch these. 

Manageability. Compliance generally requires that 
management be able to determine the status of informa- 
tion. Code should be written to adapt to monitoring—for 
example, by including extensible support for MIBs (man- 
agement information bases). Applications and libraries 
should be designed with these requirements in mind. 

Documentation. Being able to document what you 
do is often more important than what you document. In 
fact, many compliance regulations do not require that 
you do something specific, but that your company clearly 
documents what it does, actually follows those policies, 
and makes those policies available as appropriate. 

For example, you’ve probably received privacy policies 
from the financial institution of your choice. Many of 


more queue: www.acmqueue.com 


these read, more or less, as follows: “We can give your 
data to any of our valuable marketing partners at our 
discretion.” But the important part is that they have 
documented it. Similarly, your code should have clear, 
documented interfaces and behavior. 


SUMMARY 

A fair amount of what I’ve said here is utopian. Unfortu- 
nately, most backup tapes are not encrypted (but prob- 
ably should be), and even with the best of intentions a 
lot of code is under-documented—and I certainly have to 
include much of my own code in that. In all likelihood, 
however, these types of compliance requirements are 
going to become more stringent over time, not less, and 
these will become larger issues. 

The bad news is that these regulations are huge, com- 
plex, and frankly inscrutable to anyone who doesn’t have 
a law degree in a specialized area. The good news is that 
the vast majority of these regulations are not about the 
computerized portion of the problem and, hence, aren’t 
going to be your problem. Q 


Disclaimer: | am not a compliance expert, just another tech- 
nologist who has been dragged into this world kicking and 
screaming. This is just a bit of what I’ve learned in this very 
confusing area.—FA 
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The Sarbanes-Oxley Act of 2002 can be tidily summed 
up as trying to answer the not-so-simple question, 
“Says who?” when it comes to proper corporate finan- 
cial reports. Because of a spate of major corporate and 
accounting scandals at the turn of the century—perhaps 
best punctuated by the collapse of Enron and Arthur 
Andersen—Sarbanes-Oxley, or SOX, was designed to 
shore up public and investor confidence in financial 
reporting. 

Yet the sometimes-unanticipated consequences of the 
act’s 11 sections, which range from stepped-up respon- 
sibilities for corporate governance boards to criminal 
penalties for violators, have been far-reaching—and not 
always considered productive. Costs associated with SOX 
compliance have been blamed for muting the market for 
IPOs (initial public offerings), quelling the venture capital 
climate for incubating start-ups, as well as causing at least 
a short-term drag on the U.S. gross domestic product. 

Named for Congressional sponsors U.S. Sen. Paul Sar- 
banes (D-Md.) and U.S. Rep. Michael G. Oxley (R-Ohio), 
the act was overwhelmingly approved by a vote of 423-3 
in the House and 99-0 in the Senate. It marks the most 
sweeping change in corporate governance regulations 
since the aftermath of the Great Depression of the 1930s. 

SOX mandates new or enhanced standards for all U.S. 
public company boards, management, and the public 
accounting firms that service, audit, and advise them. In 
essence, the act defines proper corporate governance, 
who should monitor such governance and how it should 
be monitored, and sets up the means to enforce proper 
standards for compliance and establish culpability for 
noncompliance. 

As part of that good governance umbrella, the SEC 
(Securities and Exchange Commission) has gained new 
strength through SOX to make rulings on corporate 
behavior that does or does not comply with the new. law. 
SOX also established a new authority, the PCAOB (Public 
Company Accounting Oversight Board), which oversees 
and, when needed, disciplines accounting firms as they 
audit public companies. 

In addition to creating the PCAOB, the law requires 
public companies to evaluate and disclose the effective- 
ness of their internal financial reporting controls, as well 
as to have independent auditors “attest” to the validity 
of these measures. Companies must also have their chief 


executive officers and chief financial officers regularly 
certify the financial reports. 

As a reform measure, the act more purely defines 
auditor independence by excluding certain types of 
work between clients and auditors. To obviate even the 
appearance of conflicts of interest, SOX requires that 
public companies have committees just to oversee the 
relationship between the company and the auditors. SOX 
disallows most personal loans to executive officers and 
directors, any nonreporting of stock trades by insiders, 
and insider trades during pension-fund blackouts. 

Those caught improperly dipping from the well of 
inside knowledge or knowingly and willfully misstat- 
ing financial results face stiff criminal and civil penalties, 
including jail time and fines, for violating securities laws 
under SOX. 

Although SOX is sometimes derided for causing an 
economic penalty through significant additional levels of 
regulation, tracking, and monitoring, it has also juiced 
up the industries around products and services to assist 
in defining and implementing corporate governance 
and achieving SOX compliance. For example, vendors 
supplying computing systems and software to track, 
update, and manage reporting processes and data have 
benefited. Systems in hot demand have included those 
for document management and financial data access, as 
well as storage systems for archiving additional financial 
information. 

These SOX-related costs have amounted to millions 
of dollars for large corporations. Ironically, among the 
biggest beneficiaries, at least during the opening years 
of SOX, have been the accounting firms themselves, the 
result of a spike in demand for audits and governance- 
related services. 

Companies that may have assumed that SOX compli- 
ance was a one-shot affair or a project-based activity may 
be in for a surprise. Studies and recommendations from 
management consulting firms are pointing to a long-term 
effect from SOX: the necessity to create an ongoing SOX- 
compliance layer that becomes a fixture of large publicly 
traded companies—that is, until some future concentra- 
tion of corporate scandals forces yet another reevaluation 
and remediation of the status quo. —DG 


ts 


SIE EY RD OPES STEN, 


‘ns 


Ee, ol 


Although full implementation of the international Basel II 
accord for improved banking capital management is not 
due until 2008, its impact is already being felt. Aimed at 
preventing international banking crises and reducing the 
risk from a highly fractured approach to banking across 
many countries, Basel II (officially known as the Interna- 
tional Convergence of Capital Measurement and Capital 
Standards—A Revised Framework) augments the first 
Basel accord, adopted in 1988. 

The 13 countries that make up the Basel Committee 
on Banking Supervision have been working since 1999 to 
revise the international standards and methods for jibing 
banks’ capital expectations with economic reality. The risk 
of banking missteps has increased in recent years along 
with globalization. Markets are no longer defined by 
borders but in fact consist of many countries, with many 
banking systems and regulatory definitions. 

By creating more consistency in how banks and regu- 
lators in as many as 100 countries manage risk in terms of 
capital and demands, Basel Il is designed to forestall and 
prevent unanticipated failures—and the harmful domino 
effect of additional failures that sometimes follow one 
bank’s or region’s failure. Basel Il is also aimed at prevent- 
ing regulators from finding ways around banking best 
practices and making the global approach to banking 
systemic rather than spotty in definition, measurement, 
or enforcement. 

Designed to encourage stability in the international 
financial system, Basel Il is tasked with reducing risk by 
making sure capital is allocated prudently. The accord also 
fosters better measurement and management of credit 
risk and isolates it from a bank’s operations. Furthermore, 
Basel Il makes aggressive regulatory oversight imperative 
in more instances and in concert with regional and inter- 
national best practices. Specifically, Basel Il’s “three pil- 
lars” consist of minimum capital requirements, improved 
supervisory review, and greater market discipline. For 
example: 

e Pillar one aims to better calculate the proper capital 
requirements for banks’ credit risks, operational risks, 
and market risks, and encourages the use of advanced 
data collection and sophisticated risk management 
techniques. 

e Pillar two gives regulators additional means over Basel | 
to manage banking risk issues and expands the scope of 
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what regulators can enforce under such residual risks as 
liquidity and legal risks. 

e Pillar three mandates far greater disclosure from banks 
to provide markets with warnings or assurances on how 
the banks are actually faring. 

It was only in June 2006 that a comprehensive version 
of all Basel Il accords, based on the June 2004 final frame- 
work, was published. Preliminary work is already under 
way on Basel Ill, with these early goals: better defining 
what constitutes bank capital, further quantifying types of 
risk, and mandating the use of additional tools to manage 
and measure banking missteps. 

The Basel accords are not without critics. By join- 
ing many banks together in a timed and mandated risk 
evaluation process, critics fear that Basel II will exacerbate 
economic downturns because many more banks will 
simultaneously squeeze credit in like fashion, based on 
similarly perceived risks and regulatory mandates. Smaller 
banks cry out that the new system favors larger finan- 
cial institutions, because they are better able to absorb 
the costs of change. Developing economies object that 
the Basel Il requirements, in effect, make credit more 
expensive than when today’s mature economies were in a 
similar state of growth. 

By working to eliminate regional crises and rapidly 
escalating failures, however, Basel I! should ultimately 
reduce the long-term ill effects of a Swiss cheese 


approach to banking regulations. Developing countries 
will face less severe crashes, and credit access should 
improve because of far less overall risk and more transpar- 
ency in the global system. —DG 


DANA GARDNER (dgardner@interarbor-solutions.com) 4 i 
is president and principal analyst at Interarbor Solu- “ 
tions of Gilford, New Hampshire, an IT industry market 
research and consulting firm. A prolific blogger and 
podcaster, Gardner covers application development and 
deployment strategies, services-oriented architecture, and 
software infrastructure. He also advises clients on RSS, 
viral marketing, and podcast content creation strategies. 
He is a former Yankee Group analyst, and a former editor 
at large of InfoWorld. 
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1996 (affectionately known as HIPAA) dealt with several 
issues surrounding health insurance. As its name sug- 
gests, one issue was the ability of persons who had health 
coverage through an employer to maintain that coverage 
(“port it) when they changed employment. 

In the computing industry, HIPAA is better known 
for its Administrative Simplification section. This section 
mandated that the information for managing health- 
care financial claims and reimbursement be commu- 
nicated with EDI (electronic data interchange) using 
data interchange standards recognized by ANSI (the 
American National Standards Institute). The objective was 
to enhance the speed and effectiveness of the claims pro- 
cess, thereby reducing the back-office costs of providing 
and financing health care. 

Data interchange standards specify the structure and 
content of messages or data sets being sent from one 
computer system to another. These standards are imple- 
mented in software that assembles the messages from 
data sources (files and databases) in the originating sys- 
tem, and in other software that parses the message and 
places the data in the files and databases of the receiv- 
ing system. Data stores on the originating and receiving 
systems rarely have identical structure, As a consequence, 
data interchange commonly requires that the data be 
transformed twice: once when the message is assembled 
at the originating site, and again when it is parsed at the 
receiving site. 

The ASC X12N (the Accredited Standards Committee's 
subcommittee for insurance) developed and approved 
core standards specified for HIPAA Administrative Simplifi- 
cation during the early 1990s. Supporting standards were 
those of the Dental Content Committee of the American 
Dental Association, Health Level Seven, the National 
Council for Prescription Drug Programs, the National 
Uniform Billing Committee of the American Hospital 
Association, and the National Uniform Claim Committee 
of the American Medical Association. These six organiza- 
tions are listed in the HIPAA regulations as the designated 
standards maintenance organizations supporting HIPAA. 
They maintain and operate a transaction change request 
system for receiving and reviewing publicly proposed 
changes for the sets of standards that are mandated for 
HIPAA (see http://www.hipaa-dsmo.org/). 
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The original legislation called for implementation in 
summer 1999. The actual process took more than twice 
as long, with the first compliance deadlines occurring in 
fall 2002. Standardized data interchange is now largely 
complete. 

As the delayed schedule suggests, the course of imple- 
mentation has not always been smooth. The thorniest 
issues surround rules for data privacy and security. Today 
more people know of HIPAA for its privacy and security 
rules than for its EDI impact. (Indeed, a Google search 
on the single term HIPAA will take you to a Department 
of Health and Human Services Web page whose primary 
title is “Medical Privacy—National Standards to Protect 
the Privacy of Personal Health Information.”) 

Detailed, individual health data has always been 
part of the paper trail needed to support health insur- 
ance claims. The requirement to communicate this data 
electronically between the computers of independent 
corporations (health-care providers, insurers, and inter- 
mediaries) raised questions of who owns and controls the 
data, and who is ultimately responsible for it. The govern- 
ment took several years to create privacy and security 
regulations, then get them approved and!implemented. 
From the consumer's perspective, these regulations are 
just a new set of forms that health-care providers ask 
them to sign authorizing the release of information for 
claims purposes.—GB 


HL7 (Health Level Seven) is a not-for-profit organization 
formed “to create standards for the exchange, manage- 
ment, and integration of electronic healthcare informa- 
tion.” HL7 consists of both individual and corporate 
members, including health-care providers, software 
developers, medical informaticists, and consultants. 

When HL7 was founded in 1987, its members needed 
data standards to link multiple computer systems within 
large hospitals or medical centers. These systems were 
introduced to help manage the laboratory and patient 
administration functions of those institutions. The first 
HL7 standards, known as HL7 Version 2, have grown and 
matured. Today they are used in more than 95 percent of 
large health-care institutions in the United States and are 
broadly implemented in other countries. 

In 1994, HL7 modified its consensus practices to meet 
the criteria of ANSI (the American National Standards 
Institute). HL7 then sought and received accreditation 
from ANSI as a standards developing organization. All 
HL7 standards developed since then have been registered 
as American National Standards. 

As early as 1992, organizations in other countries 
sought accreditation as HL7 International Affiliates so 
that they could use and publish the standards and cre- 
ate implementation guides appropriate to their regions. 
This program has grown dramatically in the last decade. 
Today there are affiliates in more than 26 countries, with 
participants from every continent except Antarctica. The 
affiliate members have taken active, important roles in 
defining and developing new HL7 standards that meet 
the needs of a broader range of health-care computing 
environments. 

About 10 years ago, HL7 recognized the need to 
create a more stable and durable foundation for the 
standards it was developing. It began working on HL7 
Version 3, which is a family of data interchange standards 
based on a single RIM (reference information model) and 
a common set of vocabulary (terminology) specifications. 

To support Version 3 development, HL7 created a 
formal methodology for defining these model-based 
standards. The methodology is similar to modern soft- 
ware development methodologies. The standard data 
structures are defined as abstract UML-compliant static 
information models derived from a single semantic model 
of health information. This model is the HL7 RIM adopted 


as an HL7-ANSI standard three years ago and will become 
an ISO standard in the near future. 

Every year, HL7 publishes a Normative Edition of all 
Version 3 specifications that have been balloted and 
reached normative status. The 2006 edition includes all 
of the core specifications for the RIM, vocabulary, data 
types, and communication wrappers, plus detailed speci- 
fications for patient administration, accounting, claims 
personnel management, scheduling, records manage- 
ment, public health, clinical genomics, and clinical trials. 

The challenge in creating standards for communica- 
tion of clinical data is to assure that the standard data 
structure can convey the complete clinical context for 
the data. Context not only includes who observed what 
about whom, but may also involve why the observa- 
tion was made, what other conditions affect the subject, 
where the observation was made, etc. 

HL7 Version 3 expresses this contextual information by 
providing explicit data relationships as part of the struc- 
ture and encoding the nature of each contextual relation- 
ship in HL7-defined vocabulary terms. This contrasts with 
HL7 Version 2 (and similar early standards) where the 
contextual relationships were implicit rather than explicit, 
and thus were at risk of being misinterpreted. As a result, 
the Version 3 structures can communicate a complete 
health record, whereas the Version 2 structures are more 
appropriate for communicating record fragments. 

Because HL7 Version 3 can support the complete 
representation of clinical data and because of the efficien- 
cies seen when implementing model-driven standards, 
Version 3 has been designated as the primary standard for 
national health-record projects in a number of countries, 
including England, Canada, Germany, the Netherlands, 
Japan, and Korea. —GB 


GEORGE W. BEELER, JR., PH.D. (woody@beelers.com) 
is president of Beeler Consulting LLC. He is a member of 
the emeritus staff of Mayo Clinic, Rochester, Minnesota, 
where he held leadership roles in clinical computing and 
medical informatics. He has been active in HL7 for the 
past 13 years. He served on the HL7 board for nine years, 
was board chair for two years, and is currently a co-chair 
of the Modeling and Methodology Committee that over- 
sees Version 3. 
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Manual build scripts Even the most well designed build scripts struggle to meet the 
demands of an agile development environment striving to meet 

are costly, error prone, IT compliance mandates. Reduce your IT cost, improve your build 
risky and don’t meet quality and reduce your IT risk using Openmake’s 100% reusable 


‘i build framework. 
IT compliance mandates. 
* Hard coding creates an inflexible build. Flexibility is 


Openmake simplifies needed for agile and sustainable build demands executing 
across multiple stages of a development lifecycle. 
the PFOCess. * Static source code references cause unapproved source code 

to be moved to production without an audit trail. 

* Hidden Compile flags prevent builds from being properly 
configured for production release. 

* Manual coding is hard to maintain, error prone and 
prevents the separation of duties between development 

and production control. 


| Openmake allows you to minimize your dependency on non 
sustainable, manual scripts while providing a full ALM build to 
release workflow. Give yourself some options. Don’t design your 


builds around expensive hard 
coded build scripts. 
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JOHN BOSTICK, dbaDIRECT 


ata is a precious resource for any large organiza- 
tion. The larger the organization, the more likely 
it will rely to some degree on third-party vendors 
and partners to help it manage and monitor its 
mission-critical data. In the wake of new regulations for 
public companies, such as Section 404 of SOX (Sarbanes- 
Oxley Act of 2002), the folks who run IT departments for 
Fortune 1000 companies have an ever-increasing need to 
know that when it comes to the 24/7/365 monitoring of 
their critical data transactions, they have business part- 
ners with well-planned and well-documented procedures. 
In response to a growing need to validate third-party 
controls and procedures, some companies are insisting 
that certain vendors undergo SAS (Statement on Audit- 
ing Standards) 70 Type II audits. These audits refer to an 
AICPA (American Institute of Certified Public Accoun- 
tants) standard that sets forth the practice for evaluating 
the performance of outside service organizations. (A Type 
I audit describes the business’s controls, noting if they are 
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suitably designed and in place; a Type II audit tests those 
controls and reports if they are working adequately.) 

SAS 70 Type II audits have become increasingly impor- 
tant for major corporations because management has to 
assess the effectiveness of not only the company’s inter- 
nal controls over financial reporting, but also the critical 
outsourced services that might materially impact those 
controls—such as third-party monitoring and manage- 
ment of an organization’s databases. 

As a business partner or service provider to large 
corporations, you provide a valuable service to current 
and future clients by taking on an SAS 70 Type II audit 
yourself. You may be used to people coming in to look 
under every tile in your facility before signing on the dot- 
ted line, even if this is generally regarded as a hassle from 
both perspectives. Because of SOX, however, this check- 
ing is going to become more prevalent. Auditors from 
anyone and everyone you would consider doing business 
with are going to start showing up on your doorstep. 
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Completing an SAS 70 Type II audit says a company 
has processes that are accurate and robust and provides 
official federal paperwork to back up these claims. Simply 
being able to say you have completed such an audit may 
smooth the rest of the process a potential client company 
will put you through—and while today it could be a com- 
petitive advantage, it will soon be a competitive necessity. 


HOW TO GO ABOUT IT (A FIRSTHAND ACCOUNT) 
When you decide on an SAS 70 Type II audit, find a 
CPA firm with a robust audit practice built around SOX. 
A good firm will come in, tell you about what you are 
going to go through, and show you the roadmap for a 
Type II audit. 

The first thing you'll do is create a “war room,” where 
the documenting of your processes will be available in a 
central location and in a particular way. You will probably 
have to test your processes and continue to think them 
through. Traditionally, you may not have done a lot in 
the way of “buddy-checking,” but the Type II prepara- 
tion will force you to knuckle down on each other’s work. 
Buddy-checking sometimes means stepping on delicate 
egos. Cerebral repositories won’t work as a final product. 
It is important to make sure everything is organized and 
documented. 

In our case, I had our chief technology officer, who 
is the top IT person at the company, assign his head of 
security and networking to take on the project and really 
get into the bowels of the audit process. We also had the 
operations leaders under him produce documentation on 
the event-processing systems. 

In areas where we were light on documentation, we 
needed some all-nighters to develop the required robust- 
ness for the auditors. We had a guideline of what depth 
levels to reach. Those levels are significant to most com- 
panies, whether large or small, but most companies today 
don’t have the resources internally to redocument while 
also performing their day-to-day activities. 

At least, we didn’t. So in preparing for the challenge, 
we had eight to 10 employees, not including those who 
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were interviewed, working with the auditors to demon- 
strate the documentation and the processes. With the 
exception of three or four employees, most were involved 
for a half-day or so. The other employees, especially those 
who deal with security and connectivity, were involved 
for a couple of weeks and captive for most of that time. 
Again, however, I would say that by being proactive 
with the initial SAS 70 Type II and the renewals that fol- 
lowed, we have really helped mature our company from 
an operations standpoint. Frankly, as a CEO, given that 
a company’s processes and controls are very difficult to 
measure on a balance sheet, knowing that your company 
has a certain level of preparedness and operational excel- 
lence in these areas is very comforting. 


THE BENEFITS 

The most obvious benefit for our company was that we 
learned about processes and controls cross-functionally 
within our organization. Our first SAS 70 Type II audit 
required us first to take a long look at what controls we 
had and where we might have some holes. Sometimes 
the C-level leadership believes controls are in place, but 
the reality is that they aren’t, or they’re not documented 
properly. The SAS 70 Type II audit showed where we 
could improve on the processes and controls we had, and 
it forced us to increase our cycle time for better processes 
moving forward. 

I would recommend that everyone doing business 
with large companies get these audits. If the client does 
ask for it, and you say no, then you may have just dis- 
qualified yourself as a business partner. Q 
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feedback@acmqueue.com or www.acmqueue.com/forums 
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he topic of compliance becomes increasingly complex 
each year. Dozens of regulatory requirements can affect 
a company’s business processes. Moreover, these require- 
ments are often vague and confusing. When those in charge 
of compliance are asked if their business processes are in 
compliance, it is understandably difficult for them to respond 
succinctly and with confidence. This article looks at how 
companies can deconstruct compliance, dealing with it in 
a systematic fashion and applying technology to automate 
compliance-related business processes. It also looks spe- 


cifically at how Microsoft approaches compliance to SOX 
(Sarbanes-Oxley Act of 2002). 


COMPLIANCE DRIVERS 

Regulatory legislation and corporate governance are primar- 
ily what drives compliance. Failure to comply with legislation 
such as Sarbanes-Oxley can lead to fines and disruption of 
day-to-day business. Even companies that are not concerned 
with regulatory legislation need to protect important corpo- 
rate resources such as customer data and trade secrets. 


These compliance drivers are leading to increased con- 
cerns about how policies might affect business processes, 
ranging from who can approve salary changes to which 
paper supplier to use. For most companies the main driver 
for compliance should be those processes that affect the 
bottom line. This is a good reason for conducting a formal 
compliance assessment as the first step toward beginning a 
compliance program. A compliance assessment can identify 
poor or missing processes that could negatively affect the 


company’s value. 


break it down, 

jo compliance is 
largely about 
ensuring 
that business 
processes are 
executed as 
expected. 


Compliance is not a new phenomenon and is not unique 

to enterprises. Teachers want their students to comply with 
class requirements. Police want citizens to comply with laws. 
Parents want their children to comply with certain behaviors. 
Validating that their children are adopting a desired behav- 
ior, however, is difficult. For example, parents can tell their 
kids to stay away from adult Web sites and be careful about 
sharing information with strangers on the Internet, but it is 
difficult to know that their pleas are being heard. If it is hard 
to ensure compliance in your own household where there 


Compliance 


is a high level of control, trying to ensure compliance 

at a company with 1,000 employees is a daunting task 
indeed. The lesson here is that validation is the essence of 
compliance. 

Compliance is simply about ensuring that business 
processes are executed as expected. Many companies are 
concerned about the onslaught of legislation and the 
possible fines for non-conformance with mandates. They 
often rush to add tighter physical security, refining access 
permissions on file shares and internal Web sites and 
investing heavily in encryption technology, without look- 
ing at how those activities are tied to business processes. 

Does adding an encryption feature to a product help 
enterprises address their compliance needs? Not unless 
it can be managed centrally by an IT administrator and 
its effectiveness in protecting data can be validated in 
a report. Otherwise, how useful can it be? Technol- 
ogy investments are fine, but they should be capable of 
enforcing the IT controls and business processes that have 
been defined for a company. In addition, there must be a 
way to validate their effectiveness. Although encryption 
is an important technique for protecting sensitive data, 
if a company has to deploy it manually on thousands of 
computers with no way of proving it is effective, it will 
not be of long-term value to the company. 

Let’s consider another household example. Most fami- 
lies have locks on their doors, but if they go on vacation 
for two weeks, can they say with certainty that no one 
has entered their home? Even if the house has an alarm 
system, it’s hard to be certain that the house has not been 
entered. What if the same house had each room continu- 
ally scanned with a camera that forwarded the images 
to the homeowner’s phone? The homeowner could be 
warned if someone was moving inside the home or if the 
monitoring system was deactivated. This would provide 
better proof than a lock or an alarm system. 

Now let’s map that same issue to an enterprise where 
a CIO may be responsible for the protection of thousands 
of resources. The deployment of permission settings and 
encryption cannot validate compliance. For example, if 
a CIO wants to prevent insider trading, he or she could 
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place strict access permissions on all acquisition content 

and even encrypt the most sensitive data. If an auditor 

asks the CIO, however, to verify that only people who 

are part of the acquisition team have viewed acquisition 

documents, the auditor doesn’t want to see an encryp- 

tion setting. The CIO should be able to produce reports 

validating that only members of the acquisition team had 

access to the acquisition documents during the acquisi- 

tion period. This can be done only through access logs 

that can be easily fed into reports that answer questions 

such as: 

e Who accessed protected content during the acquisition 
period? 

e Did each person have a need to access the content? 

¢ Did the membership of any security group for the con- 
tent ever change? 

¢ Was all acquisition content protected during storage 
and transmission? 

¢ Was any acquisition content ever transmitted outside of 
the scrutiny of the company? 

These questions all address the essence of compli- 
ance—validation. 

Consider the real-life example of an enterprise policy 
management software company that wanted to help com- 
panies place sophisticated controls on who could access 
sensitive data. Before the system could be deployed, all 
sensitive data had to be assigned to a set of categories 
such as medical or financial, and each employee had to 
be assigned to a role. Then rules could be applied to the 
data to control access. For example, data of a specified 
category could be accessed by individuals in the appropri- 
ate role for approved purposes under certain conditions with 
a few allowed exceptions. This appears to be the type of 
system that most companies would want to help them 
address compliance, but the software company found 
time and again that most companies were concerned 
that such a complex system could bring normal business 
processes to a halt because of poorly written policy. They 
were more interested in a system that would simply tell 
them where their data is and who is accessing it, espe- 
cially those accessing it inappropriately. 
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TACKLING COMPLIANCE THROUGH CONSOLIDATION 
Many companies have separate teams focusing on specific 
types of compliance. This can cause duplication of effort 
and result in conflicting policies. Although more than 
one piece of legislation can call for the protection of per- 
sonal information, a company shouldn’t have multiple 
policies that instruct employees on how to protect the 
same type of data. 

Consolidating the management of compliance can 
lead to the creation of a single corporate compliance pol- 
icy. In this manner, addressing new compliance legisla- 
tion is a simpler matter of temporarily assigning a couple 
of people to deconstruct the needs of the new legislation 
and updating the single policy where necessary. 

Some companies attempt to create policy at the 
corporate level and apply it to each department. This 
can be impractical for companies with diverse depart- 
ments. Ensuring that the policy is meaningful to each 
department and is updated as processes evolve would be 
unmanageable. 

A better approach is to create corporate policy that 
provides a high-level view on how business processes 
should be managed. Each department should then adapt 
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is a compliance area that 
is impact on a company. re we | 
cM (sof ware configuration m Janagement). 
uration management, however, 1 include 
operating system, application, netyOrk, and hardware set- 
tings. The software that is installed on a computer system 
can affect CPU and netwo gpetiormance, licensing costs, 
virus proliferation, and the efficiency of employees. For 
this reason, IT professionals want to be able to ensure that 


each computer in their scope is running the right software. 


SCM starts with an assessment. You should obtain the 
assistance of experienced professionals from companies 
such as Accenture and PricewaterhouseCoopers to assist 
you. The assessment should look at the various computer 
roles needed to manage each company task. Possible 
server roles include: Web, authentication, database, devel- 
opment, file and printer, and accounting. 

For each server role, you need to determine the appro- 


priate operating system and application software. You may 


also need antivirus software and other programs that are 
needed for every computer. You need to track the version 


of the software, as well as number of copies licensed. A risk 
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the policy to its own business processes. For example, the 
corporate policy can define sensitivity levels to be applied 
to all corporate data and can mandate that all data at the 
highest sensitivity level be encrypted. Each department 
can determine which data that it handles falls into that 
category and can ensure that it is encrypted. The depart- 
mental policy should, of course, be reviewed to ensure 
that it does not conflict with corporate policy. 


AUTOMATING COMPLIANCE 

After a company has performed a compliance assessment 
and put in place a set of controls to manage risks identi- 
fied by the assessment, it should determine how to auto- 
mate the controls. Automation should not be attempted 
before validating that the controls are appropriate for 
addressing the company’s compliance needs. 

Why automate? Implementing business processes 
using paper, e-mails, or disjointed files and applications 
is prone to error. There are too many opportunities for 
something to get lost or overlooked. In addition, audits 
can be expensive, laborious tasks when done manually. 

When a company is ready to automate, it should look 
for a system that provides end-to-end control over busi- 
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management assessment will determine the importance 

of each role, which will then be used to manage the roll- 
out of changes. At Microsoft, SMS (System Management 
Server), along with other tools, is used to ensure compli- 
ance with configuration policies. 

Once all computer systems have been properly config- 
ured, you need to create a plan for managing updates for 
security fixes, service packs, and new versions of applica- 
tions. You should include a plan for validating changes 
in a test lab before deploying the changes to production 
machines. High-priority machines, as defined by the risk 
management assessment, should be updated first, fol- 
lowed by medium- and low-risk machines. You should 
include a contingency plan for when things go wrong and 
oversight to ensure that only the appropriate changes are 
occurring. 

Once the SCM plan has been completed, there must 
be a way to track changes and validate to auditors that 
risks associated with software changes are being managed 
in accordance with corporate policy and, more impor- 
tantly, regulatory requirements. SMS performs that service 
for Microsoft. 
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ness processes. The system should have strong report- 
ing capabilities. For example, a company may want the 
provisioning for a new employee to be connected to a 
workflow to ensure that the employee is added to the 
appropriate systems with oversight. Any compliance 
system should be able to answer these questions: Why did 
an action occur? Who approved it? Automated security 
and workflows aren’t going to help much if there is no 
automated way of determining if they are working. 

Once an assessment has determined the business 
processes that need to be automated, it will be neces- 
sary to find systems that assist with the automation 
process. Microsoft’s Regulatory Compliance Planning 
Guide (http://www.microsoft.com/technet/security/top- 
ics/complianceandpolicies/compliance/rcguide/default. 
mspx?mfr=true) describes 19 technology solution areas 
that provide guidance and information on technology for 
automating the compliance process. 


SOX COMPLIANCE AT MICROSOFT 

Compliance with the Sarbanes-Oxley Act at Microsoft is 
an integrated program that includes the following com- 
ponents: 

e Annual SOX 404 management assessment 

* Quarterly SOX 302 compliance 

¢ Disclosure committee oversight 

¢ Internal audit and external audit oversight 


ANNUAL SOX 404 MANAGEMENT ASSESSMENT 

Scoping. Microsoft’s annual assessment of internal 
controls to comply with Sarbanes-Oxley Section 404 
requirements begins with evaluating scope. The company 
deconstructs its financial statement line items into cycles 
and subcycles. For example, a cycle within Revenue would 
be MSN Advertising and Subscriptions revenue, and Sub- 
scriptions would be a subcycle. Each subcycle is then dis- 
sected to find the locations that contribute the significant 
dollars—Redmond, for example. Subcycle locations are 
determined to be in or out of scope based upon quantita- 
tive and qualitative risk factors. Typically the in-scope 
subcycle locations include more than 90 percent of the 
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company’s financial statement transactions and balances. 
When a subcycle/location combination is determined to 
be in scope, Microsoft identifies the transactions or pro- 
cesses that generate the financial statement information. 
Figure 1 illustrates the scoping process. 
Control identification. For each transaction identified 
for in-scope subcycle/location combinations, Microsoft 
determines the risks of incorrect or missing accounting 
information, sets control objectives in response to the 
risks, and then finds the key controls that ensure that 
the risks are adequately mitigated. Key controls are both 
manual and automated application controls. Transaction 
flows and key controls are documented in narratives and 
flowcharts. 
As an example, for advertising revenue, a risk would 
be that revenue is not properly recorded in the general 
ledger. The control objective would be that revenue is 
properly recorded in accordance with local account- 
ing practice, which follows GAAP (generally accepted 
accounting principles). A key control is a reconciliation 
of revenue recorded in the order system, the sales system, 
and the general ledger. 
Typically, key controls identified for SOX have been 
activities that are already taking place in the accounting 
process. The challenge is not in finding adequate key con- 
trol activities but in narrowing down what is considered 
important. 
Key lessons learned in the processes of scoping and 
control identification include: 
¢ Choose the correct focus. For each in-scope transaction, 
identify the relevant financial statement assertions, such 
as valuation, completeness, or segregation of duties. 
Eliminate any irrelevant assertions. 

¢ Concentrate on probable risks to the accuracy of the 
financial statements. Recognize operational-only risks 
and remove them from consideration—for example, 
inefficiencies in a process usually do not pose a financial 
statement risk. 

¢ Find the right balance between a centralized and 
decentralized approach. For some types of transactions, 
such as financial closing processes, imposing standard 
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controls across locations is a good idea. For other types 
of transactions, a decentralized approach with each 
location finding its own key controls makes more sense. 

¢ Focus on higher-level analytic controls rather than 
detailed process controls. Most companies learned this 
lesson in the first two to three years of SOX compli- 
ance and have eliminated a large percentage of the key 
controls that were originally identified. In many cases, 
the financial statement risks are adequately mitigated by 
higher-level controls performed later in a process. The 
more detailed process controls are still important but do 
not need to be tested as key SOX controls. 

IT Controls. After the scope of business processes is 
determined, each process is linked to the application(s) 
that support the information capture and reporting. 
Applications that are found to be in scope are then 
associated with the IT group that supports each applica- 
tion. Infrastructure elements associated with in-scope 
| applications, including databases, operating systems, and 
hardware, are also brought into scope. 

Microsoft uses standard control objectives for appli- 
cations and supporting infrastructure elements that 
cover the following key objective areas: access controls, 
interfaces, databases, software development lifecycle, 
maintenance, perimeter network, operating system patch 
management, backup, physical security, and operations. 


As with business processes, Microsoft finds and docu- 
ments key controls that satisfy the control objectives for 
each application and IT group. These types of controls 
lend themselves to standardization, testing the same or 
similar controls for each application and IT group. Con- 
sider again the example of advertising revenue: The com- 
pany must properly restrict access to particular functions 
within the systems that process revenue, and it should 
test controls over the systems’ ability to restrict access, as 
well as the process of granting and reviewing access. 

Assessment. Once all key controls have been specified 
and documented, the company evaluates the design of 
the controls and then develops testing plans to perform 
the management assessment of operational effective- 
ness. Controls are tested each year, typically before the 
end of the seventh month of the fiscal year, and then are 
reevaluated before the end of the year through update 
testing. The testing of controls is performed by peer tes- 
ters, external contracted resources, or internal audit in the 
course of a normal audit schedule. 

The reconciliation control described previously might 
be tested by choosing a sample of one or more recon- 
ciliations (depending on frequency) and obtaining and 
reviewing evidence that the reconciliation was properly 
performed and reviewed and that reconciliation items 
were investigated in a timely manner. The test evidence 
would be documented and 
retained as part of the SOX 
compliance work papers. 


financial statement 


consolidated F/S line item-e.g. revenue 


segment-e.g. MSN 


cycle-e.g. subscriptions and advertising 
| - 


| location-e.g. Redmond | 
Transaction-e.g. ad placement 


information systems 
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subcycle-e.g. advertising if process 


Evaluation of Deficien- 
cies. If deficiencies are 
discovered in either the 
design or operational 
effectiveness of controls, 
management and internal 
audit evaluate them for 


financial financial 
+ close 


statement significance and pass them 
preparation on to the external audi- 
tors. Microsoft evaluates 
deficiencies as part of the 
quarterly reporting process. 


QUARTERLY SOX 302 
COMPLIANCE 


: To support the quarterly 
nied: Barty Rentals 302 certifications of the 


CEO and CFO, Microsoft 

has established a quarterly 
process of surveys and sub- 
certifications. Throughout 
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the organization, controllers, subcycle and subcycle-loca- 
tion owners, and finance executives complete a variety of 
surveys to assess the effectiveness of disclosure controls 
and procedures, internal control over financial reporting, 
and changes in controls. This process involves approxi- 
mately 250 individuals. The responses to all surveys and 
requests for information are analyzed and incorporated in 
the quarterly deficiency analysis as appropriate. Changes 
in the control structure are also evaluated for significance 
and possible disclosure. 


DISCLOSURE COMMITTEE OVERSIGHT 

The results of the SOX compliance program are reported 
quarterly to the disclosure committee, which includes 
key finance leaders throughout the company. The com- 
mittee reviews the results of the quarterly evaluations of 
deficiencies and changes in controls and reviews updated 
risk assessments. 


INTERNAL AUDIT 

AND EXTERNAL AUDIT 
OVERSIGHT 

Microsoft’s SOX compli- 
ance program is subject to 
audit by both internal and 
external auditors. Manage- 
ment works closely with 
both of these groups to 
coordinate planning, test- 
ing, and evaluation of test 
results. 


‘as 


PEOPLE AND 
ORGANIZATION 

Because Microsoft is a 
large, global organization, 
its SOX compliance pro- 
gram is decentralized. The 
corporate financial compli- 
ance group administers the 
SOX program, sets policy, 


consultant/ 
auditor 
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| executive 2 
| sponsors | 


finance 
leadership team 


financial 
compliance group 


controls and compliance 
managers (field, BG’s, ops) 


controllers, subcycle owners, 
subcycle location owners 


transaction teams 


internal external 
audit auditor 


determines the plan for the year, provides training, and 
coordinates the evaluation of deficiencies. Each business 
group, region, and operations center has one or more 
controls and compliance managers who provide first-tier 
support to the field. Each subcycle and subcycle location 
has an owner with primary responsibility for documenta- 
tion and assessment of processes and controls. 

The SOX program organization is illustrated in figure 
2, along with approximate numbers of people involved in 
fiscal year 2006. 

As might be expected, managing a global, decentral- 
ized compliance program is challenging. Key success 
factors in the Microsoft program are: 

Strong senior management sponsorship and guid- 
ance from the beginning. The CEO and CFO placed high 
importance on successfully implementing the compliance 
program, and this commitment was well known through- 
out the company. This sponsorship and high level of 


od 


Microsoft’s SOX Program Organization va 


FY 2006 


ultimate owner 
and decision maker 
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commitment exists at all levels of company management. 

Good program design, with accountability pushed 
out to all locations from the outset. Unlike many other 
companies, which had to roll out a corporate program to 
the field in the second or third year, the subcycle and sub- 
cycle-location owners have always had primary responsi- 
bility for compliance. 

Consistent guidance and communication from the 
central team. Although communication can always be 
improved, Microsoft technologies enable realtime status 
tracking and reporting via input into the central SOX 
compliance database and regular outward communica- 
tion of guidance and updates via biweekly LiveMeeting 
sessions that are accessible globally. 


TECHNOLOGIES 

Since Microsoft was initially in the earliest SOX compli- 
ance deadline group, it had to be selective in the ele- 
ments it chose to incorporate in a system solution. The 
company knew that its abilities to version documents, 
maintain audit trails, and provide secure access were 
critical, and it used Microsoft SharePoint software to meet 
those requirements. 

With the change in filing dates, Microsoft’s SQL Server 
team took the opportunity to try to make the organiza- 
tion of controls and reporting processes more efficient. 
Because the organization of controls and test data 
requires a unique hierarchy for easy administration (start- 
ing at the financial statement class and expanding down 
to the individual control objectives and activities), the 
team built an application that would allow users to navi- 
gate easily to their areas of responsibility and document 
and record their controls and test results. Using SQL 2005 
as its implementation platform, the team also integrated 
flexible online reporting to monitor status and provide 
updates for field, management, and executive reviews. 


CURRENT STATUS AND FUTURE OBJECTIVES 
Since Microsoft’s fiscal year ends June 30, the company 
has just completed its second year of SOX compliance. 
(There was a “Year 0” in FY04 since the deadline was 
extended after the company had completed much of the 
initial compliance work.) Over these three years, Micro- 
soft has successfully reduced its scope and key control 
testing by more than SO percent as a result of improve- 
ments in risk assessment and controls rationalization. The 
company has worked to standardize controls and focus 
on higher-level analytic controls where possible to elimi- 
nate detailed and/or redundant process-level controls. 

A key success factor has been the decentralized 
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approach, which assigns ownership and accountability to 
people with appropriate authority throughout the organi- 
zation. Its enabling technologies allow Microsoft to man- 
age a decentralized program effectively. Objectives for the 
future include continued improvement in the effective- 
ness and efficiency of the program, while maintaining 
strong internal control structure and timely remediation 
of deficiencies. 


STEPS TO SUCCESS 

Individuals entrusted with compliance should not permit 

the pressure of regulatory requirements to force them to 

make hasty decisions about addressing compliance needs. 

Instead, follow these steps: 

¢ Work with an internal or external compliance expert to 
perform a compliance assessment. 

¢ Create a set of IT controls to address any high-risk busi- 
ness processes. 

¢ Consolidate compliance efforts into a single corporate 
compliance strategy. 

¢ Have each department define a strategy to comply with 
corporate policy. 

e Use technology to automate the creation, enforcement, 
and deployment of policy. 

The work of compliance will go more smoothly once 
you have created a set of IT controls to address risks that 
were found during the assessment process. Using tech- 
nology can help to streamline and automate the defini- 
tion, enforcement, and validation of IT controls. Most 
importantly, before starting any compliance program, get 
assistance from a reputable auditing firm. Q 
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privacy and compliance needs. He will also focus on ensuring 
that SQL is a robust platform for developing effective compli- 
ance solutions. 

MARILEE BYERS is the group manager for the Financial 
Compliance group, which oversees Sarbanes-Oxley compli- 
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as well as in a number of start-up companies. 
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chieving developer acceptance of standard- 
ized procedures for managing applications from devel- 
opment to release is one of the largest hurdles facing 
organizations today. Establishing.a standardized develop- 
ment-to-release workflow, often referred to as the ALM 
(application lifecycle management) process, is particu- 
larly critical for organizations in their efforts to meet 
tough IT compliance mandates. This is much easier said 
than done, as different development teams have.created 
their own unique procedures that are undocumented, 
unclear, and nontraceable. 


Achieving 100 percent compliance 
from all development teams requires that the 
ALM team clearly communicate the levels of compliance 
to the developers and clearly communicate to upper 
management which development teams are and are not 
in compliance. Keeping track of the game using a simple 
“compliance scorecard” can do the job. 

The first rule of thumb in defining a standardized 
ALM process is to clearly define the activities that fit 
under the ALM umbrella. For example, the ALM pro- 
cess does not need to define a particular development 


TRACY RAGAN 
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Compliance 


methodology, such as continuous development or agile 
development. In fact, staying away from how a develop- 
ment team defines the development process is highly 
recommended. The ALM process instead should focus on 
the movement of changes leaving development and flow- 
ing through test and production release. In other words, 
the ALM process should not be concerned about changes 
that a developer may make day to day. Instead, the ALM 
process should focus on what happens when the devel- 
oper says the changes are ready to move to production. 

Once the development team reports that its source- 
code changes are ready for prime time, the ALM workflow 
should focus on four specific procedures: source-code con- 
trol, build management, testing, and production release. 
Of course, the software is initially “born” at the devel- 
opment stage, but the subsequent stages that involve 
locking down the preproduction source code, executing 
a preproduction build to create the binaries, testing the 
binaries, and finally releasing the binaries to production 
are the core of the ALM process that must be standardized 
and repeatable to meet IT compliance mandates. 

Even though the core of the ALM activities involves 
steps after the development stage, it is critical to get 
the developers to accept the standardized process. This 
is because most development teams are accustomed to 
performing every stage of the ALM process from develop- 
ment to release. Defining a standardized ALM process has 
a direct consequence for the developers once they are 
ready to move their applications to production. It may 
mean, for example, that they no longer build, test, and 
release the application themselves, but hand it off to a 
separate team, or perform these activities by a particular 
method, using particular tools. For this reason, the devel- 
opment teams must accept the standardized procedures; 
otherwise, the ALM process can be completely derailed. 

Any organization attempting to set up a standardized 
ALM process must identify a central team or individual 
with responsibility for establishing the process and 
implementing the new rules of engagement. In most 
organizations, this responsibility fits most logically into 
the configuration management, testing, or production 
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control teams. Smaller organizations may assign a single 
individual to assist each development team with the pro- 
duction release process. 


KEEPING SCORE 
Rolling out a centralized ALM solution and achieving 100 
percent compliance from all development teams requires 
two critical components: the levels of compliance must 
be clearly communicated, and upper management must 
be serious about achieving the goal. This clear direction 
from upper management and a clear statement of the 
ALM process allow the development teams to understand 
what is expected of them. It is critical that all teams fully 
understand the levels of ALM compliance. It is equally 
critical that upper management be informed weekly 
regarding which teams are meeting these levels of com- 
pliance and which are not. You can use a “compliance 
scorecard” for communicating this information. 
Defining levels of compliance is the most important 


E and reining in the risk BS coated with ireleagng core : 


ware applications to a production environment. 

The trend toward IT compliance is really a way for 
upper management to say that software development 
must be managed in the same way as other depart- 
ments, standardized, and repeatable. IT compliance 
really means that delivering business software 


solutions is no longer seen as a mystical 

activity performed by a few really technical 
people, but instead is viewed as a business process 
that must be carefully monitored, audited, and 
controlled to maximize the overall benefits of 
business automation. 
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step in creating your compliance scorecard. The best 
approach is to start with what is important to the devel- 
opers. Developers will interact with the centralized ALM 
process in two particular areas: SCM (source-code con- 
figuration management) and build configuration manage- 
ment. You should select SCM and build configuration 
management tools that are flexible and can cater to the 
needs of multiple development teams. This allows each 
team to use the tools uniquely, depending on their needs, 
and still interact with a centralized process. 

Developers use SCM and build configuration manage- 
ment tools in a closely integrated method. They need 
to be able to lock down source code and compile their 
binaries. When defining a central process, you may need 
to take away their team-based SCM tool; therefore, you 
will be taking away their build process as well. You will 
need to define a central process for both build and source- 
code management; otherwise, each team will continue 
to use its inferior tools. Development teams often choose 
SCM and build configuration management tools based on 
open source ad hoc scripting languages that perform the 
most simplistic of check-in, check-out, and build features. 
These tools may not perform the detailed dependency 


Compliance Level Compliance Description 


Sample Compliance Levels 


management, impact analysis, or build audit reporting 
needed to trace matching source to production execut- 
ables. For this reason, these tools in particular must be | 
standardized across the enterprise ALM process. 


DEFINING LEVELS OF COMPLIANCE 

There is a balance between keeping developers happy 

all of the time and meeting the basic compliance needs 
of the organization. To maintain this balance, you must 
keep in mind the most basic needs of the development 
teams and make sure those needs are met in the enter- 
prise ALM solution. In addition, you must keep the levels 
of compliance simple and clear. Overly complicated levels 
of compliance will give the developers too many excuses 
for not achieving them. Table 1 lists sample levels of 
compliance. The early levels of compliance address only 
SCM, and the later levels address SCM, build configura- 
tion management, and release management. 

Most organizations can use the three levels of compli- 
ance shown in Table 1. These levels provide the basic 
framework for a strong ALM process that will meet tough 
IT governance standards. Each level is worth further 


exploration. 


Compliance Benefit 


Level 1 All third-party objects, SOA objects, J2EE objects, 
and database objects are identified and checked into 


the central SCM tool. 


All third-party objects are centralized for the 
entire organization. Developers begin using 
the central SCM tool to manage reusable 
third-party objects. 


Level 2 Level 1 is achieved, all project-level source code is 
checked into the central SCM tool, and a build of the 
binaries using the central build configuration man- 
agement tool is executed. A traceable footprint from 
the build is required, validating matching source to 


executables. 


Source code must be validated to be worth 
managing. Building the code with only the 
SCM-managed objects, with a traceable 
footprint based on compiler calls, will validate 
matching source code to production execut- 
ables. This meets the separation of duties and 
traceability IT governance requirements. 


Levels 1 and 2 are achieved and all binaries are 
tested and approved for release by the central 
production control team without assistance from the 
development team. All production servers are locked 
down and cannot be updated by any member of the 
development team. 


Level 3 


more queue: www.acmqueue.com 


Storing the source code and building the 
executables must be followed up by defining 
a release process that does not involve the 
developers. This is the final way of meeting a 
full ALM-compliant process. 
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Compliance 


Level 1: Identify and check in all third-party libraries 
to the central SCM tool. This may seem like a strange first 
level of compliance, but it is critical to the ultimate goal 
of the SCM process: providing matching source to pro- 
duction executables. Requiring the development teams 
to identify all of their third-party components, including 
compiler libraries, gets them involved in using the cen- 
tralized SCM tool without interrupting their direct devel- 
opment efforts. These third-party and compiler libraries 
are critical for supporting the application build process, 
allowing for the creation of QA and production-level 
compiles, and validating what versions of these third- 
party and compiler libraries are running in production. 

This level of control is critical in managing SOA (ser- 
vice-oriented architecture), J2EE, and database applica- 
tions. Remember that many of these third-party and 
compiler libraries must be installed into production. The 
applications are built against them and execute against 
them in production. It is critical that the centralized SCM 
solution begin controlling these libraries, even before 
they begin controlling the application-specific code. 
Once the application team has defined these compo- 
nents, the ALM team can begin ensuring that the correct 
versions are running in production. In addition, as new 
versions of these components become available, the ALM 
team can control their use and distribution. The manage- 
ment of these third-party and compiler libraries is just as 
important as managing the code your developers create 
in-house. 

Level 2: Load all application source code into the 
central SCM repository and recompile the application to 
create a preproduction level build with the central build 
configuration management solution. Provide the ALM 
team with the ability to compile the application’s binary 
objects (.exe, .war, .jar, .dll, etc.) using the enterprise build 
configuration management tool on a “build” machine. 
The resulting footprint report shows the location of the 
source code that was used in the build. The last thing you 
want to do is to check code into the central repository 
that cannot compile. If the source code is not loaded into 
the SCM tool correctly, developers will object to using the 
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tool, as they will not be able to build their applications. 
Also, it is important that the development team establish 
a means to build its application in a repeatable fashion. 
If the team can create the build on a machine defined 

to do nothing but builds, it is closer to creating a repeat- 
able build process. Additionally, your build workflow 
should provide the ability to create a footprint based on 
the actual compiler calls. This report will be crucial when 
completing the next step. 

Level 3: Levels 1 and 2 are achieved and all releases 
are performed by the central production control team. 
Developer access to production servers is removed. This 
final level of compliance completes the ALM picture. 
Developers at this level will turn over the source code to 
the central ALM team, which will then create the bina- 
ries, with a traceable footprint validating matching source 
to executables, and will move the binaries to a secure 
production environment. This level of compliance is fully 
traceable and will meet the toughest of IT standards such 
as COBIT (control objectives for information and related 
technology), ITIL (IT infrastructure library), and SOX 
(Sarbanes-Oxley Act of 2002). 


BUILDING A SCORECARD 

Once you have met the basic needs of the developers in 
your ALM process and defined simple and clear levels 

of compliance, you will find that each team begins to 
debate small features of their solution compared with 

the enterprise solution. You must learn to differentiate 
between a small missing feature and a big missing feature 
in the enterprise-level process. In other words, the way 
in which a particular tool displays version history is not 
a showstopper. Not providing a means for developers to 
build their applications is a valid objection to the enter- 
prise ALM process. If you are hearing objections from the 
developers regarding small features of the SCM solution, 
or an objection to the added work required to meet the 
levels of compliance, this is a sure sign that the first battle 
has been won. You have successfully defined a process 
that the developers can incorporate into their develop- 
ment process, leaving their team-based process behind. 
Your next step is to build a compliance scorecard. 

The compliance scorecard is your way of communicat- 
ing to upper management the success of the enterprise 
SCM rollout. If you have indeed completed the first step 
by defining an SCM process that can be used by all teams, 
regardless of the development tool, then it is time for the 
development teams to migrate to the new process. 

Table 2 is an example of a compliance scorecard show- 
ing three application teams listed with three levels of 
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compliance. It is obvious 
from the scorecard that 
the customer service team 
is 100 percent compliant 


and that the loan process- Development Team 


Level 1 


Sample Compliance Scorecard 


Level 3 


ing team has not commit- Accts Payable Compliant 1/24/06 6/1/06 

ted to a date when it will ; i 

be at the highest level of Loan Processing 3/1/06 5/1/06 No commitment 
compliance. This scorecard Customer Service Compliant Compliant Compliant 


should be shared with all 

development team leaders. 

This allows upper management to see which teams are 
lagging behind. 

Keep in mind, not everyone can migrate at the same 
time. Each development team has its own deadlines, and 
you must work with each team to achieve these dead- 
lines. It is not always possible to begin using a new SCM 
tool during a busy development cycle. It is the respon- 
sibility of team managers to give the development team 
the time it needs in its project schedule to participate 
in the migration to a new centralized process. It is not 
unusual for upper management, however, to put pres- 
sure on a team to get a new release out, while at the same 
time asking the team to migrate to a new tool that will 
certainly take time away from its development activities. 
The scorecard gives the application project managers an 
opportunity to negotiate when they will become compli- 
ant at the different levels, preventing any development 
interruptions. 

There are other benefits of using a scorecard. For exam- 
ple, if the customer service and loan processing teams 
use the exact same development tools, and the customer 
service team is 100 percent compliant, then there should 
be little reason, other than project scheduling, that the 
loan processing team cannot use the enterprise-level 
process. The scorecard becomes a tool of peer pressure. 
Application managers should be rewarded for achieving 
100 percent compliance. 


SIMPLE TOOL WITH POWERFUL RESULTS 

The scorecard is a simple tool that can bring powerful 
results. It can be created with a Microsoft Excel spread- 
sheet or even a database where reports can be easily 
obtained and viewed by upper management. As upper 
management begins to use this scorecard, individual 
managers may ask for reports showing different levels of 
information—for example, a report that shows all of the 
compliant teams, or one that shows all teams that have 
met the first level of compliance. The ability to customize 
these reports will make it easier for you to provide upper 
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management with data needed for decision making. 

To create some buzz around the ALM process, you 
must show levels of success. Providing levels of compli- 
ance that are clearly communicated and obtainable by 
the development teams is a successful method of getting 
the teams to take the baby steps needed to move from 
their team-based systems to the enterprise-based system. 
Making the first level of compliance simple will allow 
teams to accept the process without completely interrupt- 
ing work flow. The more teams you have accepting the 
enterprise-level ALM process, the quicker other teams will 
join in. No team manager wants his or her team to be the 
only one that is noncompliant. 

Using this scorecard method of tracking compliance 
can help you keep the momentum of your ALM rollout 
going. In addition, the compliance scorecard will keep 
the burden of enforcing the process with upper manage- 
ment where it belongs. 

Finally, be realistic. The process of rolling out an 
enterprise ALM solution is never really done. As long as 
there are new development efforts, there are new teams 
creating their own team-based ALM processes that 
you will need to confront, address, and move toward 
compliance. Q 
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Software Security: Building Security In 
Gary McGraw, Addison-Wesley Professional, 2006, $49.99, 
ISBN: 0321356705 
aun) Over the years, I have read several books 
SOFTWARE] covering software security from a system 
or programming language perspective. 
While most of them provided excellent 
overviews, I was hoping eventually to 
& see a holistic approach. Software Security 
GARY McG is just the kind of book I had in mind 
and is one of the best introductions to 


software security that I have seen. 

One phrase summarizes the content of the book: “Soft- 
ware security is not security software.” One of the major 
errors we make in development is addressing software 
security by adding features; this is cost efficient in the 
short term, but raises major issues in the long run. In his 
book, McGraw shows that security is not a feature that 
can be added to extend the functionality of software but 
is an essential building block and key architectural design 
characteristic of reliable software. 

Although the book is written at a high level of abstrac- 
tion, going beyond simple code vulnerabilities and 
examples, the multiple sidebars with anecdotes provide 
illustrations and make it easy to read. The first part of the 
book defines the discipline and introduces the notion of 
risk management. It covers issues such as risk mitigation, 
risk measures, operations, and the major stages of apply- 
ing risk management in practice. The second part covers 
touch points for software security: code review, archi- 
tectural risk analysis, penetration testing, abuse cases, 
security requirements, security operations, and external 
analysis. The final section deals with enterprise-level secu- 
rity development cycles and the importance of knowl- 
edge-based management schemes for such purposes. 

At first, the content of the book might seem dry and 
targeted to less technically oriented readers. For those 
more interested in technical and programming issues, 
however, my favorite chapter is the fourth, which 
addresses automated code review with the Fortify security 
tool. The author is one of the developers of this tool, and 
a CD containing a sample scenario to be worked out by 
the reader accompanies the book. 

There is a final jewel at the end: an annotated bib- 
liography covering most of the essential readings from 
academia and industry. The contents of the book are 


44 September 2006 ACM QUEUE 


intrinsically tied to both of these areas, and McGraw 
manages to provide a common view on software security 
from both perspectives. I highly recommend this book to 
all readers wishing to build security into their software. 
—Radu State 


Refactoring Databases: Evolutionary Database Design 
Scott Ambler and Pramodkumar Sadalage, Addison-Wesley 
Professional, 2006, $49.99, ISBN: 0321293533 

The simplest way to explain this book’s 
evolutionary approach to database 
maintenance is with an analogy to the 
electrical rewiring of a home while keep- 
ing the lights on. The book discusses 

a number of basic operations, serving 

as effective and safe techniques for 
database maintenance. These techniques 
cover not only the standardized steps of database schema 
transformation and related code refactorings, but also a 
number of relevant supporting techniques of interest to 
practitioners working with complex databases. 

Overall, the book’s evolutionary approach to data- 
base application system maintenance jointly addresses 
software and data design. It explains 70 operations, with 
illustrations and code snippets, and is organized into 11 
chapters. 

Chapter 1 presents the general idea of evolutionary 
development. Chapter 2 introduces refactoring con- 
cepts in database situations. The third chapter explains 
recommended processes, and the next ties refactoring to 
deployment. Chapter 5 serves as the main entry point for 
the remainder of the book, succinctly addressing database 
refactoring strategies and providing online resources, 
discussion lists, and Web sites for updates. Chapters 6 
through 9 make up the main reference section, present- 
ing, respectively, structural, data quality, referential integ- 
rity, and architectural database refactorings. Chapter 10 
is an overview of related code refactoring, and the final 
chapter discusses elementary database transformations. 

This book is recommended for database system imple- 
menters, database design experts, and advanced students 
of database design, as it provides a unique perspective 
on database schema changes in a manner preserving 
application semantics. It is not a quick read, but it is an 
approachable one. —Vladan Jovanovic 


Reprinted from Computing Reviews, © 2006 ACM, http://www.reviews.com 
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Ian Skerrett, The Eclipse Foundation 


nthe past four years Eclipse has 
enjoyed considerable success 

in the software industry. Most 
famous for its widely used open 
source Java IDE, Eclipse has also 


become an important platform 
for building software development tools 
and general-purpose applications. In 
fact, there are now more than 58 differ- 
ent open source projects at Eclipse, and 
most of these have little to do with build- 
ing Java development tools. We also 
have a growing ecosystem of vendors 
and other open source projects creating 
Eclipse-based products that span many 
different technology markets. Therefore, 
the answer to the questions, “What is 
Eclipse?” or “Where is Eclipse going?” 
often depends on your point of view. 

When we think of Eclipse, we often 
think of different user communities or 
technology groupings. Right now, we 
think of seven different pillars as a meta- 
phor to explain the breadth and wealth 
of technology brought to developers by 
the Eclipse community. Over time we 
expect that these pillars will evolve and 
change. 


Starting with a Foundation 

It is important to understand that when 
Eclipse was started the goal was never 
simply to build a Java IDE. The goal 
was to create an extensible platform 
for building and integrating a myriad of 
different development tools. When IBM 
started Eclipse it wanted to consolidate 
its different development tools onto a 


single platform, and more importantly 
enable a broad ecosystem of open 
source and commercial tools sharing 

a common platform. Having organiza- 
tions such as ISVs or enterprises use 
these frameworks to build their software 
is how we define success for Eclipse 
projects. 

Contrary to popular belief, Eclipse 
projects do not solely focus on build- 
ing tools. They are tasked with the 
added responsibility of building both 
frameworks and exemplary, extensible 
tools. So the focus is also on building a 
platform intended for reuse in products 
and applications. The Eclipse Java IDE or 
Java development tools (JDT) was the 
first, and is probably the best known of 
Eclipse's exemplary tools. If an orga- 
nization is going to create frameworks 
for building tools, having a really good 
example of how to do it is critical to 
teaching others. That is the purpose of 
JDT-and of all of the tools you find at 
Eclipse. The great thing for the devel- 
oper community is that most of these 
tools are very good; as a result, a lot of 
people use them. 

The roots of Eclipse result ina 
strong technology platform that enables 
quick development, integration, and 
deployment of software from different 
providers. At the heart is a dynamic com- 
ponent model, based on the OSGi (Open 
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Services Gateway Initiative) version 4 
specification, which allows software 
providers to create, extend, and update 
software components or plug-ins. This 
comprehensive component model has 
allowed Eclipse to expand and evolve 
into many different areas, shown in 
figure 1. 


Enterprise Development Pillar 
Numerous Eclipse projects focus on the 
requirements of enterprise developers. 
Eclipse projects provide tools and frame- 
works that span the entire software 
development lifecycle, including model- 
ing, development, deployment tools, 
reporting, data manipulation, testing, 
and profiling. The projects in this pillar 
are primarily focused on the issues of 
building Java EE, Web services, and Web 
applications. It also provides support for 
applications in other languages, such as 
C/C++, PHP, and others. 

In this pillar we have the largest 
number of vendors that have embedded 
the Eclipse open source technology into 
their commercial products. The major 
Java EE vendors, such as BEA, Borland, 
IBM, JBoss, and Sybase, have based 
their developer solutions on the Eclipse 
technology. Zend, the PHP company, is 
moving its popular PHP tools to Eclipse. 
The major modeling vendors Borland, 
Compuware, and IBM have based their 
modeling solutions on Eclipse. The major 
Linux distributors, Red Hat and Novell 
SUSE, have based their developer tools 
solutions on Eclipse. In the business 
intelligence and reporting market, 
Actuate is making available commercial 
reporting tools based on Eclipse. There 
is also a large and growing ecosystem 
of ISVs that are providing Eclipse-based 
developer solutions and services to 
address the needs of enterprise IT 
developers. 
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Deployment Platforms Pillar 

Changing requirements are forcing 
organizations to rethink how they build 
end-user applications. Businesses need 
to create end-user applications that have 
a highly productive rich user experience 
but are easy to deploy and manage on 
multiple platforms such as Windows, 
Linux, and Macintosh. 

At the heart of the Eclipse Platform 
project is a set of frameworks, called the 
Eclipse Rich Client Platform (RCP), which 
was first introduced in 2004 with the 
Eclipse 3.0 release. It has quickly gained 
the attention of many ISVs and enter- 


The Eclipse RCP is being used to 
build, deploy, and manage client-side 
end-user applications by organizations 
such as IBM, NASA, SAS Institute, and 
more than 100 small and large organiza- 
tions. 


Embedded and Device 

Development Pillar 

Since the beginnings of Eclipse, the C/ 
C++ development tools project (CDT) has 
been working to address the needs of 
embedded and device developers. Over 
the past three years, the embedded and 
device community has embraced Eclipse 
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Pillars of Eclipse 


prises as being a stable and productive 
platform for building and deploying rich 
client applications. Eclipse RCP provides 
a dynamic component model (based on 
the OSGi v4 standard) that makes it easy 
to integrate, deploy, and update applica- 
tions; a runtime environment that runs 
on many operating systems, including 
Windows, Linux, and Mac, while at the 
same time providing complete fidelity 
to the native look and feel; and the tools 
and frameworks that accelerate the 
development, packaging, deployment, 
and management of rich client applica- 
tions. 


as the platform for building embedded 
tools. 

Embedded and device developers 
require tools that are often unique to the 
target device. In addition to CDT, new 
projects are being started to address the 
needs of debugging on remote devices, 
target management, building GUls for 
mobile devices, and development for 
mobile devices running Java ME. 

Eclipse is widely used in the telecom- 
munication, handheld, manufacturing, 
automobile, and defense embedded 
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industry segments. It has the support of 
many of the key vendors in the embed- 
ded and mobile market. Nokia is leading 
the projects to develop tools for mobile 
Java applications and has based its Java 
ME developer tools on Eclipse. The lead- 
ing realtime operating system (RTOS) 
vendors-Wind River, Monta Vista, QNX, 
Accelerated Technologies, TimeSys, 
PalmOS, Symbian, and ENEA-have 

all based their developer solutions on 
Eclipse. 


Rich Internet Application Pillar 
Because of its extensible architecture, 
the Eclipse platform is easily adapted to 
new technologies. Sometimes referred 
to as Web 2.0, a new style of Web devel- 
opment is emerging with the advent of 
AJAX and other rich Internet applica- 
tion (RIA) technologies. The AJAX Tools 
Framework is an example of supplying 
developer tools that can target a variety 
of AJAX runtime frameworks, such as 
Dojo, Kabuki, and Rico. Eclipse also has a 
project to develop an IDE for the Laszlo 
framework. 

All of the key RIA vendors—Adobe 
Flex IDE, Nexaweb Studio, and Laszlo- 
have recognized the flexibility of the 
Eclipse platform and have used it as the 
base of their tools solutions. 


Application Lifecycle 

Management Pillar 

Application lifecycle management (ALM) 
is the next step in solving the question, 
“How do developer tool vendors interop- 
erate?" Eclipse provides the platform for 
integrating tools on a common technol- 
ogy base, but how do the tools talk with 
each other and share information across 
the software development lifecycle? The 
Eclipse Application Lifecycle Framework 
(ALF) project has been established to 
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solve this problem. Although ALF is still 
in the early stages, a number of vendors, 
including Serena, Compuware, Segue 
Software, and others, are working to 
define the meta-level information for 
having requirements, modeling, develop- 
ment, and testing tools all communicat- 
ing with each other. 


Service-Oriented Architecture Pillar 
Enterprises are building applications 
based on service-oriented architecture 
(SOA). We have initiated the SOA Tools 
Project (STP) to address the needs of 
architects and developers creating soft- 


tions of standard business components 
and frameworks, such as enterprise 
content management. These frameworks 
provide an adaptable and extensible set 
of application logic that developers can 
integrate into their overall applications. 
These frameworks can either be used 
as stand-alone additions to Java applica- 
tions or be leveraged as components 
on top of the Eclipse RCP. This enables 
applications to use an integrated stack 
of open source frameworks on RCP for 
quickly building and deploying their 
applications. This provides a powerful 
combination for building software. 


Eclipse has evolved to become the industry's 
most vital vendor-neutral, open source 
development and application platform. 


ware around SOA. This project is building 
frameworks and exemplary extensible 
tools that enable the design, configura- 
tion, assembly, deployment, monitoring, 
and management of software designed 
using SOA. 

The SOA Tools Project has just 
started, but it already has attracted the 
participation of some of the leading SOA 
vendors, including IONA, BEA, Compu- 
ware, IBM, Intalio, LogicBlaze, Object- 
Web, Scapa, and Sybase. 


Application Frameworks Pillar 
Application frameworks provide develop- 
ers with the functional building blocks 
to accelerate the software development 
process. Unlike developer tools, applica- 
tion frameworks are deployed with the 
actual applications. 

A number of well-established Eclipse 
projects provide frameworks. In the 
future we will see more implementa- 


An Adaptive Platform 

The pillars of Eclipse address the ques- 
tions, “What is Eclipse?” and “Where is it 
going?" The Eclipse community and eco- 
system is vast, and many different orga- 
nizations are simultaneously growing it 
in many different directions. Thankfully, 
Eclipse is a very adaptive platform and 
enables a wide variety of options. At its 
heart Eclipse provides building blocks 
and tools that allow organizations to 
improve their software development 
delivery across the entire software 
lifecycle and across many platforms, 
languages, and operating systems. From 
its beginnings as a Java IDE, Eclipse has 
evolved to become the industry's most 
vital vendor-neutral, open source devel- 
opment and application platform. The 
future of Eclipse technology is limited 
only by the imagination and the commu- 
nity and ecosystem driving its evolution. 
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The Innovation Behind Blending Open Source 
and Commercial Solutions 


When the Wright brothers decided to put 
a bicycle engine on a winged contraption 
and attempted to fly, many thought their 
goals were unreachable. But, by blending 
multiple existing technologies with a 
unique idea, they overcame perceived 
barriers and accomplished a feat that 
stands as one of the most innovative and 
momentous in human history. 

While many technologies today claim 
to be nearly as innovative and forward- 
thinking, few create a new dimension 
of performance to the level of the 
MyEclipse Enterprise Workbench. Build- 
ing upon the Eclipse platform, MyEclipse 
has spearheaded technological advances 
and bridged many perceived boundaries 
in an ever-changing technological envi- 
ronment. By blending together the best 
that open source has to offer with pow- 
erful commercial solutions, MyEclipse 
has redefined developer productivity. 


User-centered Feature Innovation 
Based upon customer suggestion 

and need, MyEclipse has introduced 
many first-of-a-kind innovations into 
the Eclipse environment. While some 
companies agonize for months and 
years attempting to provide tools that 
a user could want, MyEclipse schedules 
releases approximately six weeks apart 
to provide tools developers need and 
have asked for. 


Some of these innovative tools include: 

- First JSP debugger for Eclipse 

— First JavaScript debugger for Eclipse 

— Most native application server 
connectors of any IDE 

— Most native DB connectors of any IDE 

— First Web 2.0 AJAX tools for Eclipse 
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Process Innovation 

While the term “best of breed” is familiar 
to most of us, the definition is often 
relegated to finding the best solution 

for a particular issue and then utilizing 

it. This can lead not only to incompat- 
ibility issues, but also a lack of efficiency 
while moving between programs. Rather, 
MyEclipse takes these “best of” solutions 
(regardless of their source), improves 
them as needed, and blends them 
together with revolutionary commercial 
tools to create a new breed of only the 
“best.” This innovation dispels the illu- 
sion that a project needs to be created 

in Eclipse in order to be incorporated in 
the Eclipse environment. Case in point: 
Matisse4MyEclipse, the integration of 
the NetBeans Project’s swing UI designer 
Matisse into MyEclipse. 


Service Innovation 

MyEclipse boasts a full-time expert 
service team dedicated to customer 
needs. All users, whether trial, standard 
or professional, receive the same timely 
support, which averages only two hours 
response time to all inquiries. s technol- 
ogy expert Kenneth Kousen of Connecti- 
cut put it, “Every time I’ve sent email to 
someone at MyEclipse, I've received a 
response within hours.” \t's part of the 
way MyEclipse is creating the industry 
standard for customer service. 


Business Model Innovation 

Members of the MyEclipse community 
don't just get a software download and 

a thank-you email. They continue to 
benefit from the ongoing innovations 
offered by MyEclipse. All incremental 
milestone and general software releases 
are available to members at no charge-a 
true subscription-based pricing model. 
MyEclipse innovative pricing: 

Standard one year subscription = $29.95 
Professional one year subscription = 
$49.95 


Future Innovation 
MyEclipse remains focused on providing 
unique and cutting-edge technology and 
remaining at almost-free pricing points 
to allow users the most freedom in their 
development environments. As technol- 
ogy changes, MyEclipse is singularly 
positioned to bridge perceived barriers 
and create the most innovative blended 
development environment available. 
When the Wright brothers launched 
paper and steel only a few feet off 
the ground, they couldn't imagine the 
culmination of the modern space age. 
Similarly, advances within Eclipse 
and MyEclipse hold many exciting 
innovations and infinite possibilities to 
shepherd in a new development age. 
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Enterprise 
Development 


he needs of enterprise 

developers are a manifes- 

tation of the needs of the 

enterprise-the design, 

development, integration, 

delivery, and management 
of robust, mission-critical applications 
that provide a decisive competitive edge. 
These include broad lifecycle coverage 
and integration between phases and 
artifacts, support for service-oriented 
architecture (SOA) including Java EE 
and Web services, judicious process 
guidance, and the ability to work across 
geographically distributed teams. Finally, 
there is a growing need for governance 
in development to ensure the enterprise 
rapidly innovates and realizes the full 
benefit of its investments. 

Eclipse’s value as a Java EE develop- 
ment environment was greatly enhanced 
by the Web Tools Platform (WTP) project 
and recently updated with the Callisto 
release in June 2006. Eclipse core 
functionality, combined with Java EE 
artifacts and other Eclipse projects such 
as Modeling and Business Intelligence 
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Reporting Tools, make Eclipse the most 
popular enterprise Java development 
platform in the world. It is used by 

65 to 75 percent of Java developers 
(http://www.forrester.com/Research/ 
Document/Excerpt/0,7211,37238,00. 
html), if you include other Eclipse-based 
IDEs such as IBM Rational Application 
Developer. 

The scope and depth of Eclipse con- 
tinue to grow, as evidenced by projects 
such as the Eclipse Process Framework 
(EPF), which helps companies establish 
consistency in planning and executing 
software development projects; several 
projects that provide for AJAX-style 
application development; and the Open 
Healthcare Framework (OHF), anew 
Eclipse project that helps improve the 
levels of interoperability between appli- 
cations and systems within and across 
health-care organizations. More granular 
projects focus on integrating non-Java 
technologies such as PHP and C/C++. 

For the enterprise developer, many 
software vendors add value to Eclipse 

Continued on page 60 
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Eclipse: IBM's next-generation 
tool integration platform. 
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Introduction 

In the mid-1990s, we saw two worlds: one centered around tools that 
enabled Microsoft® to focus on run-time execution support, and 
another centered on the JavaTM platform, which focused ona 

more open industry approach. IBM's goal at the time was to bring 
developers closer to the more open Java-based middleware. 

We envisioned a world in which a customer's development environ- 
ment comprised a heterogeneous combination of tools stemming 
from IBM, the customer's own custom tools and third-party tools— 
all built against a common platform, thus comprising a software tools 
ecosystem. By November 1998, IBM began creating that develop- 
ment tools platform, which eventually became known as Eclipse. This 
article takes a broad look at Eclipse’s past and present, and provides 


a glimpse into its potential future. 
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Leveraging open source 

After several years of development, 

we considered opening up this technol- 
ogy. While the Java-based middleware 
software business was growing, it was 
not advancing as rapidly as we would 
have liked. We knew we needed business 
associates to fulfill the vision but found 
it hard to convince them to invest in our 
(as-yet-unproven) platform. 

In November 2001, IBM made avail- 
able its Eclipse platform under an open 
source license. IBM, along with eight 
other organizations, established the 
Eclipse consortium and Eclipse.org to 
provide an open operating model in 
order to increase exposure and acceler- 
ate platform adoption. Initial members 
included Rational® software group, 
TogetherSoft, WebGain and Borland. 
Most Eclipse members and committers 
came froma shortlist of commercial ven- 
dors; IBM was the largest contributor of 
content, financial and staff resources. 


But is it really open? 

The first major releases of Eclipse were 
well received and strongly adopted by 
developers. But industry analysts told us 
that the marketplace perceived Eclipse 
as an IBM-controlled effort. This percep- 
tion left major vendors reluctant to make 
a strategic commitment to Eclipse. So 
we began working with other companies 
to define the governance for and create 
the Eclipse Foundation, a not-for-profit 
organization with its own independently 
paid professional staff, supported by 
dues from member companies. We 
announced the new foundation just in 
time for EclipseCon 2004. 


Results to date 

The move has been a success. The new 
and independent Eclipse Foundation 
shipped Eclipse 3.0, and it was a hit. 
Recently, Eclipse 3.2 was released to 
resounding reviews. We've seen dra- 
matic growth in membership at a num- 


ber of levels and a deeper commitment 
by independent tools vendors and most 
platform vendors. The Eclipse Founda- 
tion and its members continue to foster 
new project development, including the 
emergence of several powerful Eclipse 
projects, such as Rich Client Platform, 
Web Tools Platform, Data Tools Platform 
and Business Intelligence Reporting Tool. 
There are now 13 strategic developer 
member companies, each of which com- 
mits at least eight full-time developers 
and up to US$250,000 annually to the 
Eclipse Foundation. The foundation also 
has four strategic consumers who make 
a similar economic commitment. There 
are 69 companies serving as add-in pro- 
viders, and another 13 associate member 
companies. You'll also find hundreds 
of commercial plug-ins and products 
for Eclipse, which is now a leading tools 
platform. 


IBM and Eclipse 

IBM is more committed to Eclipse now 
than ever. We contribute more develop- 
ers to Eclipse projects than a year ago, 
and significantly more than any other 
vendor. We deliver Eclipse-based prod- 
ucts from every IBM Software Group 
brand-Rational, Lotus®, WebSphere®, 
Tivoli® and DB2@-as well as from IBM 
Systems Group. 

Over the past few years, the IBM 
Rational software division has aggres- 
sively revamped its product portfolio to 
move to a more Eclipse-based founda- 
tion. Figure 1 illustrates Eclipse’s relation- 
ship with the major product groupings of 
the IBM Rational Software Development 
Platform. Process, analysis, design and 
software quality products-such as IBM 
Rational Software Modeler, IBM Ratio- 
nal Software Architect, IBM Rational 
Application Developer, IBM Rational Web 
Developer, IBM Rational PurifyPlusTM, 
IBM Rational Functional Tester, IBM 
Rational Manual Tester and IBM Rational 
Performance Tester software-are 
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Process & portfolio management 


Software quality 


Change & configuration management 


all built directly on top of the Eclipse 
platform. Additionally, other lifecycle 
management tools now have new and 
improved integrations with Eclipse, 
including IBM Rational ClearCase®, IBM 
Rational ClearQuest® and IBM Rational 
RequisitePro® software. 

Rational software makes developers 
more productive by extending the base 
Eclipse integrated development environ- 
ment (IDE) with additional functional- 
ity. By leveraging Eclipse's underlying 
mechanisms, IBM also has created tools 
optimized for other practitioner roles 
spanning across the project lifecycle, 
such as analysts, architects and testers. 


Eclipse has, in effect, become IBM's next- 


generation tools integration platform. 


A look into the future 

Eclipse is now stable, mature and inde- 
pendently managed. Many companies 
no longer view Eclipse as risky, and in 
fact, are comfortable starting with base 
Eclipse, and adding support services 
and additional tools in an incremental 
fashion. We see commercial vendors 
evolving to support this shift, poised to 
offer more componentized versions of 
both value-added tooling and vendor 
support services. As Eclipse and its 
associated plug-ins continue to grow, so 
will the need to manage that growth and 
resulting complexity. 


software 
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Other company, product and service names may be 
trademarks or service marks of others. The informa- 
tion contained in this documentation is provided 

for informational purposes only. While efforts were 
made to verify the completeness and accuracy of the 
information contained in this documentation, it is 
provided “as is” without warranty of any kind, express 
or implied. In addition, this information is based on 
IBM's current product plans and strategy, which are 
subject to change by IBM without notice. IBM shall not 
be responsible for any damages arising out of the use 
of, or other-wise related to, this documentation or any 
other documentation. Nothing contained in this docu- 
mentation is intended to, nor shall have the effect of, 
creating any warranties or representations from IBM 
(or its suppliers or licensors), or altering the terms 
and conditions of the applicable license agreement 
governing the use of 

IBM software. 
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technology that allows Java 
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developers to incorporate 
powerful reporting 
capabilities quickly and 


easily into their applications. 


Actuate provides a set of 
value-added products on 
top of the core open source 
BIRT technology. 
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Actuate Brings BI to Eclipse 


Actuate, a South San Francisco, Califor- 
nia-based vendor of enterprise reporting 
applications, has forged a new space in 
the Eclipse community with the BIRT 
(Business Intelligence and Reporting 
Tools) project. Paul Clenahan, vice presi- 
dent of product management at Actuate 
and a member of the BIRT Project Man- 
agement Committee, discussed some of 
the finer points of BIRT with ACM Queue. 


QUEUE What is the Eclipse BIRT project, 
and why should we care? 

CLENAHAN BIRT is a set of technologies 
within the Eclipse open source founda- 
tion that allows Java developers to 
integrate very powerful reporting into 
their applications. 

One of the things that Actuate has 
observed, having been in the reporting 
business for more than 10 years now, is 
that pretty much every application has 
some sort of reporting need. Tradition- 
ally, Java developers have solved that 
need by actually hand-coding reports 
with Java code or maybe some JSP 
(JavaServer Pages) code and so on. 

It has been a very intensive process. 
We recognized that rolling your own 
didn’t make sense, and Eclipse provides 
a lot of value in terms of productivity for 
Java developers-capabilities that allow 
them to build applications quickly and 
effectively. We wanted to do the same 
when it came to the reporting aspects. 

So BIRT is providing reporting 
technology that allows Java develop- 
ers to incorporate powerful reporting 
capabilities quickly and easily into their 
applications. 

QUEUE What is Actuate’s role in the BIRT 
project? 

CLENAHAN We recognized that there 
were not many tools in this area, so we 
took a leadership role in the project 

and sponsored it as part of the Eclipse 
Foundation. We approached the founda- 


tion in late 2004 and suggested adding 
this Foundation capability to the Eclipse 
platform. 

The project has grown from there. It 
now includes contributors from IBM and 
Innovent Solutions. We're also working 
with another software vendor in the 
reporting space who is likely to join the 
project in the coming months. 

QUEUE Is the Java community adopting 
BIRT? 

CLENAHAN Yes, in fact, we're really 
excited by the traction we're getting with 
the project. It officially became a project 
in Eclipse in October 2004; we put out 
our 1.0 release in June 2005, our 2.0 
release in January 2006, and our 2.1 
release in June 2006. 

As the project has gained features 
and functions in these different releases, 
we have seen its popularity also grow 
dramatically. There is a high demand 
from people who want to include report- 
ing in the products they're building, and 
they are using BIRT technology to meet 
that need. 

To support the high demand for BIRT, 
we provide a lot of great technical infor- 
mation for the community on the eclipse. 
org/birt Web site and through the very 
active BIRT newsgroup. In addition, there 
is a blog at www.birtworld.blogspot.com 
and two books have been published on 
BIRT. Lastly, Actuate is sponsoring a 
series of technical workshops focused on 
helping people get into BIRT technology 
and learn how to use it. 

QUEUE What makes BIRT's offering more 
unique than other solutions that are in 
the marketplace right now? 

CLENAHAN BIRT technology is unique ina 
number of areas. First, it’s important to 
recognize that when we started to create 
the project and develop the technology, 
we did not just take existing technology 
and open source it. 

We wanted to build technology from 
the ground up that targeted the needs of 
Java developers. 
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As we did that, we also asked our- 
selves what reporting technology should 
look like in 2005, 2006, and going 
forward in this era of Web 2.0 and all 
the exciting stuff that's happening. We 
decided not to do a traditional banded- 
type report and development environ- 
"ment as have a lot of the other tools that 
are out there. Rather, we got feedback 
from developers who said, “Hey, | want 
to feel like I'm developing a Web page.” 

So we took the Web-page design met- 
aphor, underlaid that with the reporting 
concept, and created a unique approach 
to how you might design reports. It feels 
much more like you're designing a Web 
page compared with other tools on the 
market. 

And the final area | would highlight is 
that BIRT is part of the Eclipse Founda- 
tion, tightly integrated into the Eclipse 
IDE and applications that you would build 
with the Eclipse IDE. That in itself is very 
compelling, and it is professional-grade 
open source technology. 

QUEUE How is Actuate providing value- 
added capabilities to BIRT? 

CLENAHAN We recognize the power of 
BIRT technology, which is aimed very 
much at Java developers who need to 
incorporate reports into their applica- 
tions. 

Based on our experience in the busi- 
ness intelligence area, however, we know 
that there is a wide range of users who 
want different types of reporting tech- 
nology, whether that’s the Java devel- 
opers who are creating reports in the 
context of their applications, business 
users and business managers who want 
to create much simpler reports, perhaps 
to help them answer ad hoc questions, or 
end users who are consuming infor- 
mation and want to interact with that 
information by clicking column headings 
to sort reports, for example. 

Actuate provides a set of value- 
added products on top of the core open 
source BIRT technology to meet this 
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wider range of needs. One product is the 
Actuate BIRT Report Designer Profes- 
sional, which is a variation of the report 
design environment you would see in the 
Eclipse community, but with some value- 
added features, including access to more 
data sources, as well as support and 
indemnification offerings that you would 
expect to get from an enterprise-class 
commercial vendor. 

We offer additional tools, including 
our BusinessReport Studio technology, 
which is aimed at allowing business 
users to create their own reports, as well 
as an interactive viewer to let end users 
interact with the report by resorting, 
adding calculate columns and so on. 

On the deployment side we have 
our iServer technology, which is a rich, 
enterprise-class infrastructure for 
deploying reports, including scheduling, 
e-mail distribution, tight security, and 
soon. 

Actuate has technology that Java 
developers can incorporate into this 
application experience that allows the 
end users to be self-sufficient in a num- 
ber of different areas. 

QUEUE What's next for Actuate? 
CLENAHAN We are releasing a set of 
technologies under the banner Actuate 
9-that's the general release label for 
this-that provides many of these value- 
added capabilities on top of BIRT. As an 
example, the BusinessReport Studio for 
business users will be part of Actuate 9. 
Some of the items, such as the Business- 
Report Studio capability for business 
users, will be part of our Actuate 9 
release series. 

In addition, we're continuing to 
push forward on the BIRT project with 
the open source community. We just 
released BIRT 2.1 at the end of June as 
part of the Eclipse Callisto simultaneous 
release. This was a unique event in the 
open source community, where a num- 


ber of projects released technology on 
the same date so Java developers would 
know they have the latest and greatest 
of all these different projects. 

We'll follow up with a maintenance 
release around the end of September 
that builds on that, and again, it’s likely 
to be a simultaneous release from the 
open source community. Looking further 
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ahead, the Eclipse community is planning 
another release, code-named Europa, 
for the middle of next year where we will 
continue to build on the capabilities that 
we put in BIRT. 
QUEUE How can we get our hands on 
BIRT? 
CLENAHAN There are several mecha- 
nisms to do that. You can download the 
open source BIRT from www.eclipse.org/ 
birt. These will take you straight to the 
BIRT project pages. Those who download 
from Eclipse.org will find a lot of extra 
content, such as tutorials, that can help 
people get started on BIRT technology. 

You can also download the technol- 
ogy from Actuate at www.actuate.com/ 
birt. One of the advantages of down- 
loading from Actuate is that you get an 
integrated install that makes it easier to 
get up and running with the reporting 
technology. In fact, the Actuate down- 
load includes a number of additional 
data drivers that are quite useful. 

In general, for the other capabili- 
ties that | talked about in terms of our 
BusinessReport Studio and iServer 
technology, which adds a lot of value 
around BIRT, you can go to www.actuate. 
com. We have a lot of information on the 
site for those products, and we would 
certainly be happy to talk to anybody 
who's interested in understanding these 
products in more detail. You can reach 
us at 800-914-2259 or 650-837-2000. 
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Crystal Reports for Eclipse Developers 


When it comes to building and integrat- 
ing reporting into applications, Crystal 
Reports is the brand name develop- 

ers know and trust. For over 15 years, 
Crystal Reports has been bundled as an 
embedded reporting technology with 
leading integrated development environ- 
ments (IDE). The Eclipse IDE framework 
is quickly becoming the leading develop- 
ment environment for Java developers. 
In addition, many commercial Java IDE 
Vendors are building their solutions 
using the Eclipse framework. Business 
Objects is expanding upon its heritage 
as the leader in embedded reporting for 
developers and will deliver a new version 
of Crystal Reports for direct use within 
the Eclipse framework. 

Crystal Reports for Eclipse is 
designed specifically for Java application 
developers. It allows them to experi- 
ence powerful, code-free reporting 
using a100% pure Java report designer 
and engine. Developers can build new 
reports, access existing Crystal Reports 
documents, and deploy applications with 
Java reporting components or with the 
Business Objects business intelligence 
(BI) platform. 


Leveraging Eclipse 

The product takes full advantage of the 
Eclipse user interface, including dock- 
able panes and context sensitive menus. 
Developers can fully customize reports 
without ever leaving the Eclipse develop- 
ment environment. The software plugs 
directly into the Eclipse IDE for a rich 
design experience and includes data 
access via JDBC. 


Developer Productivity with 

Crystal Reports for Eclipse 

Crystal Reports for Eclipse provides 
developers with intuitive tools for report 
design, data access, and application 
integration. 
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Report Design 

Crystal Reports for Eclipse offers a drag- 
and-drop environment with a variety of 
controls that will be familiar to past 
Crystal Reports users. These controls 
include tables, charts, text, formulas, 
images, data fields, parameters, and 
more. This provides developers with 
the flexibility to build a range of 
reports from simple to highly-detailed, 
information-rich documents. 


Data Access 

Developers can connect to data using 
the standards-based JDBC driver to 
access databases like Microsoft SQL 
Server, MySQL, Oracle, IBM DB2, and 
more. By taking advantage of the exist- 
ing Eclipse database explorer, develop- 
ers can access data directly from within 
the IDE. Unlike many other reporting 
tools, developers do not have to hand- 
code SQL to access and join data. They 
can simply point and click to select 
tables and create database joins. 


Application Integration 

Crystal Reports for Eclipse provides a 
report viewer so developers can easily 
add a visual reporting layer to their 
applications. The custom tag library 
reduces the amount of coding required 
to embed report templates into JSP 
pages by consolidating commonly used 


Figure 1- 


functions into a library. Crystal Reports 
for Eclipse will also provide developers 
with wizards to easily integrate existing 
Crystal Reports documents into new 
applications. 


Look and Feel 

Figure 1 depicts the Crystal Reports 
perspective and some of the associated 
views. The report palette enables easy 
drag and drop insertion of report objects 
onto the report canvas. The integrated 
toolbar allows for quick and simple for- 
matting changes. Crystal Reports users 
will notice a lot of similarities to the 
current release of the Crystal Reports 
designer, Crystal Reports XI. 

However, they will also notice a few 
new enhancements. For example, users 
can now compress and expand sections 
of the report with a click of the mouse. 
This functionality makes dealing with 
reports containing a large number of 
sections more manageable. 

Another enhancement is the Formula 
Pane. As shown in the center section of 
Figure 2, all of the formulas currently 
stored in the report can be accessed 
ona single pane within the editor. This 
includes custom, conditional format- 
ting, and record selection formulas. All 
of these formulas are easily identified 
by their descriptive headings and can 
be collapsed or expanded for easier 
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readability and navigation. Of course, 
no formula editor would be complete 
without syntax checking. As you can see 
in Figure 2, syntax errors are displayed 
just as they appear when coding other 
solutions in the Eclipse IDE. Users can 
still add fields, parameters or other 
report elements to formulas by dragging 
and dropping the element from the Field 
Explorer view into the Formula Pane. 
This way the developer will never have 
the wrong syntax when referring to a 
specific report element. 

Report designers can use the Data 
Pane displayed in the center area of 
Figure 3 to create the field linking 
between the database tables residing in 
the report. Crystal Reports for Eclipse 
removes the complexity of having to 
hand-coding the SQL statement. This 
is achieved by automatically generating 
the required SQL based on the database 
joins established in the Data Pane and 
the database fields referenced in the 
report itself. 


Deployment Flexibility 


Developers can choose to deploy their 
applications in one of two ways: report 
viewing with the Crystal Reports embed- 
ded report engine, or report manage- 
ment, scheduling, and security with the 
award winning Business Objects XI Bl 
platform. 
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Business Objects and the 

Eclipse Foundation. 

Business Objects is a member of the 
Eclipse Foundation. Along with over 

100 other software vendors, playing an 
active role in supporting the community. 
In addition, many of Business Objects 
technology partners are building their 
current and next generation technologies 
on Eclipse. As a result the investment 
in software, marketing, and support for 
the Eclipse community will benefit the 
individual developer, our partners, and 
the broader developer community. 


Figure 2— 
Crystal Reports 
for Eclipse 
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Create relationships 
between tables using the 
interactive data pane 


Figure 3— 
Crystal Reports for 
Eclipse Data Pane 
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“The endorsement of Eclipse by 
Business Objects will further extend 
the tools and technologies that 
Eclipse developers and vendor part- 
ners can use for application develop- 
ment. The long history of developers 
embedding Crystal Reports in their 
applications makes the solution a 
natural fit for the Eclipse IDE and 
will certainly help to expand the 
success of the Eclipse community.” 


Mike Milinkovich - 
Executive Director of the Eclipse Foundation 


Getting Crystal Reports for Eclipse 
Business Objects, the maker of Crystal 
Reports for Eclipse, offers additional 
information and access to Crystal 
Reports for Eclipse on their new devel- 
oper community, “Diamond” at: www. 
businessobjects.com/devxi/1005 

If you have additional questions, 
contact us directly at 1-888-333-6007. 


Crystal Reports 


Eclipse 


The Business Objects logo and Crystal Reports are 
trademarks of Business Objects in the United States 
and/or other countries. All other names or products 
referenced herein may be the trademarks of their 
respective owners. ©2006 Business Objects. All 
rights reserved. 
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Since 1998, when IBM 
began the Eclipse 
project, its primary 
design goal has been 
as an extensible 
integration platform 
for application 
development tools. 


Enterprise Development 


Enterprise Development, continued from page 52 


in their commercial products by adding 
function through plug-ins, using the 
Eclipse Modeling Framework (EMF) and 
other modeling projects to provide a 
deeper level of integration between life- 
cycle phases and artifacts, and by adding 
support and services for Eclipse itself. 
For example, the IBM Rational Software 
Development Platform (http://www. 
ibm.com/software/rational/), built on 
Eclipse, provides lifecycle support and 
traceability to enable clients to govern 
software and systems development. 
Since 1998, when IBM began the 
Eclipse project, its primary design goal 
has been as an extensible integration 
platform for application development 
tools. Fast forward and today we see the 
Eclipse platform being used across hun- 


dreds of IBM products and thousands of 
open source projects and commercial 
products for software development and 
beyond. These projects and offerings 
appeal not only to enterprise developers, 
but also to professionals across all the 
pillars of the Eclipse community. The tre- 
mendous growth of projects, products, 
service offerings, skills, and knowledge 
in turn benefits those producing the 
same, including the enterprise devel- 
oper. And it is the enterprise developer 
who in general has the broadest, most 
comprehensive set of needs and who 
can benefit the most from the Eclipse 
ecosystem. 


Do you develop in multiple languages on Eclipse ? 
SlickEdit offers one powerful plug-in 
that can take care of all your editing needs. 


C/C++, Jan: 


For over 18 years our multi-language development tools and advanced code editors have supported 
the world's most skilled power programmers. We know that our products enable even the most 
accomplished developers to write code faster and more accurately. Now Eclipse developers can 


discover the power of SlickEdit® 
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slickbdit 


www.slickedit.com 


SlickEdit® Plug-In 3.2 for Eclipse™ — Discover the SlickEdit advantage today. 
Download a FREE trial at www.slickedit.com/sept or call 1.800.934.3348. 


SlickEdit is a registered trademark of SlickEdit Inc. All other products or company names are used for identification purposes only and may be trademarks of their respective owners. 
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Rich Client 
- Platform 


Mark Johnson, Instantiations 


clipse was originally devel- 
oped as a software tools 
integration framework. 
Traditionally, most appli- 
cation developers have 
designed their own soft- 
ware architectures and then constructed 
application frameworks themselves. This 
approach increases development time 
and adds considerable cost in time, sup- 
port, and effort to solve a problem that 
is peripheral to building the application 


business logic. 

Starting with version 3.0, the Eclipse 
development team completely separated 
the base runtime platform, known as 
the Rich Client Platform (RCP), from the 
development tools infrastructure. The 
result is an extensible, cross-platform 
application framework that is suitable 
for building almost any kind of desktop 
or rich client application in Java. The 
first wave of commercial RCP-based 
applications is starting to appear ina 
wide variety of vertical industries. Many 
organizations are standardizing on 
RCP as the architecture for their internal 
IT applications, thus enabling them to 
run as a manageable, integrated suite 
rather than as disassociated units of 
functionality. 
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Over the past few years the Eclipse 
project has grown dramatically and 
matured into a powerful development 
environment. Traditionally Eclipse has 
been thought of as a great IDE for Java 
software development. Eclipse RCP has 
broadened the platform's relevance in 
the marketplace. The Eclipse community 
recognized that many elements of the 
Eclipse IDE could be used for building 
general-purpose applications. When 
constructing business applications, 
developers could use the elegance of 
the plug-in architecture, the responsive, 
native-looking user interface, and the 
easy-to-use help system. By using a 
common framework for developing busi- 
ness applications, developers can focus 
their energies on addressing the specific 
requirements of their application instead 
of wasting time reinventing a set of core 
infrastructure services. 

The platform-independent Eclipse 
RCP architecture makes rich client 
applications easy to write because 
business logic is organized into reus- 
able components called plug-ins. Eclipse 
RCP provides a core set of services, 
representing a substantial percentage 
of the development functionality, so that 
developers don't have to “reinvent the 
wheel" by writing infrastructure code. 
These Eclipse RCP services are available 
to every application component plug-in. 
These services are the interface between 
a plug-in and the low-level platform- 
specific functionality that supports the 
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plug-in, just as a Java EE container is the 
interface between Enterprise Java- 
Beans (EJB) and the application server. 
Because developers don’t have to create 
these core services, they are free to 
concentrate on writing code that solves 
the business problem at hand. Develop- 
ers often choose to use Eclipse RCP over 
a Web browser to develop desktop appli- 
cations when there is highly complex 
information to process and display and 
performance is a key requirement. 

The Eclipse RCP brings Java back to 
the desktop. It is ideal for building rich 
user interfaces for the client side of a 
client-server system and for building 
stand-alone desktop applications. Eclipse 
RCP is having a significant impact on the 
desktop computing strategies of enter- 
prise organizations. In fact, with Eclipse 
RCP, there may now be fewer obstacles 
to replacing costly desktop operating 
systems with low-cost alternatives by 
bridging the discontinuity caused by the 
Win32 Vista API shift that Microsoft is 
proposing. 
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The Pillars of Eclipse 


clipse has proved to be 

a viable platform for the 
development of rich client 
applications. As much as 
the Eclipse Rich Client 
Platform (RCP) is providing 
the fundamental building block for gen- 
eral-purpose applications, it is by far not 
the only building block that can facilitate 
the development of powerful rich client 
applications. 

Let's first look at how to distinguish 
application frameworks from the tools 
side of Eclipse. Tools such as JDT are 
used only at development time, whereas 
runtime frameworks such as the Eclipse 
Modeling Framework (EMF) are deployed 
with the application. 


Application frameworks encompass 
two major areas: general-purpose run- 
time frameworks and vertical frame- 
works. 

Eclipse provides a number of 
well-established runtime frameworks, 
including EMF, which is one of the most 
prominent. With EMF it becomes much 
easier to create, manage, and extend a 
Java representation of a domain model. 
With EMF you can easily navigate a 
model, validate its consistency, and read 
and persist the model out of the box. 

If you have an XML schema describing 
your domain model, you can get started 
immediately and simply generate a 
Java representation of it. Models play 

a significant role in making applica- 
tions act intelligently, and this kind of 
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Frameworks 


intelligence has differentiated Eclipse 
from other products in the tools space. 
Another mature runtime framework is 
the Graphical Editing Framework (GEF), 
which enables the visualization and 
visual editing of data. 

Beside the above-mentioned well- 
established and mature runtime frame- 
works, Eclipse is providing a number of 
interesting frameworks that are earlier 
in their product lifecycles. Four of them 
are featured here: Eclipse Communica- 
tion Framework (ECF), Equinox, Nebula, 
and Rich AJAX Platform (RAP). 

ECF simplifies the creation of distrib- 
uted applications that require peer-to- 
peer or client-server messaging. If, for 
example, you would like to add instant 
messaging to your application, this takes 
only a fraction of the time with ECF com- 
pared with implementing it yourself or 
integrating a third-party framework. 

Equinox has become a project in its 
own right with the latest Eclipse release. 
Equinox is an OSGi (Open Source Gate- 
way Initiative) implementation and pro- 
vides the core functionality that enables 
the Eclipse plug-in model. Recently 
Equinox has been extended to run inside 
Web containers, enabling advanced 
componentization of Web applications by 
using plug-ins and extension points. 


Jochen Krause, Innoopract 


The Nebula project is focusing on 
advanced widgets for business applica- 
tions, such as a grid component that 
offers spreadsheet-like capabilities for 
any kind of application. 

RAP is a server-side runtime frame- 
work that extends the reach of Eclipse to 
browsers. RAP enables the reuse of the 
business logic plug-ins of an RCP applica- 
tion in an AJAX Web environment-and 
the user interface can be developed by 
using plug-ins and a widget toolkit. 

In the area of vertical frameworks, 
Eclipse is in an early phase, but projects 
such as the Open Healthcare Framework 
show the potential for Eclipse acting as 
a platform/infrastructure for industry 
collaboration and standard implementa- 
tions. 

With its roots as an integration 
platform and its plug-in architecture, 
Eclipse may become the first pervasive 
framework for constructing large parts 
of applications by assembling compo- 
nents. 
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Kevin Parker, Serena Software 


pplication lifecycle 
management (ALM) is 

a process, not a collec- 
tion of tools. The ALM 
infrastructure in place in 


most organizations today, 
however, has been acquired over time to 
solve particular point problems in silos 
within IT. The industry has spent the past 
20 years trying to integrate and orches- 
trate these tools to support the ALM 
process, but success has been patchy. 
Every organization knows it could find 
ways to improve its ALM infrastructure 

if it had the time and the resources. It is 
time we stood the tool selection process 
on its head. 

There are many competing factors 
in play when it comes to selecting ALM 
tools. Functionality is usually at the top 
of the list, and the tool's ability to inte- 
grate with the other tools follows close 
behind. Often near the bottom of the 
priority list is the process that the tool 
follows to deliver its functionality. 

Every development community fol- 
lows similar development processes, but 
no two are exactly the same. An organi- 
zation with massive legacy applications, 
which is risk-averse, will not use the 
same methods and best practices as an 
organization that is delivering e-com- 
merce solutions in a rapidly changing 
market. This means that the process 
should be the first criterion specified in 
selecting tools. What microprocess is 
embedded in the tool? Does it meet the 
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customer's best practices? Is the process 
configurable and flexible to support the 
customer's development methodology? 

Another factor to understand is the 
handoff from existing tools to this new 
tool and from this new tool to other tools 
in use in the customer's development 
infrastructure. This is not just about 
exchanging data. Many integrations 
today are merely automated cut-and- 
paste with the occasional semaphore 
being exchanged. ALM is a process, so 
tools need to be concerned with account- 
ability and ownership of tasks, state 
transitions, and permissions in support 
of that business's process. This means 
that when selecting tools we should be 
concerned with their process infrastruc- 
ture much more than their API calls. 
The goal is, through combining tools, to 
create a macroprocess that implements 
the overall ALM process. 

Of the tools servicing today's ALM 
needs, many address the process 
automation within a given discipline 
or practice, but none is really able to 
orchestrate the processes across and 
between tools to drive the level of auto- 
mation and interoperability across the 
application lifecycle that finally delivers 
real ROI and competitive advantage for 
both the individual role-based contribu- 
tor and/or user, and the enterprise as a 
whole. 


With the Eclipse framework, you 
can create as rich or as light an IDE as 
needed from the thousands of commer- 
cial and open source plug-ins available 
today. This trend is making its way into 
the ALM community, and customers 
are asking for the functionality in their 
requirements management, configura- 
tion management, collaboration, and 
other ALM tools to be exposed as Web 
services. In this way they can combine 
the vital parts of the technology and 
orchestrate them in support of their ALM 
development methodology. 

Application development is now seen 
as amechanism that brings competi- 
tive advantage to the organization; as a 
result, the business is demanding greater 
optimization and effectiveness from IT. 
Some vendors are already on this path 
and delivering the next iteration of ALM. 
The open source community, and Eclipse 
especially, already sees the value of this 
and is providing the infrastructure to 
make this vision possible with projects 
such as Eclipse’s Application Lifecycle 
Framework (ALF) and Corona. ALM 
needs to evolve: as a community we can 
make it happen. 
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Change Governance 


Change. 


Your organization can’t escape it. 
Si 


But it can take advantage of it. 


Globalization. Regulatory 
compliance. Competitive pres- 
sures. Mergers and acquisitions. 
The forces of change are 
everywhere in today’s enterprise, 
consuming time, money, and 
resources, increasing risk, and 
challenging business operations. 
Even the smallest changes, which 
may start out in some remote 
corner of the company, can grow 
into something that ripples 
across the enterprise with 


unexpected consequences. 


If organizations know that change is 
coming and they can anticipate and 
channel its potentially destructive 
energy, then change becomes a catalyst 
for transformative business results. How 
can organizations take advantage of 
change in today’s distributed enter- 
prise, when the silos of change - areas 
where change is managed in isolation, 
without an understanding of its impact 
on the organization on the whole - are 
everywhere? 


The answer is Change Governance 
from Serena. 

Change Governance is a fundamentally 
new approach to the problem of change. 
Change Governance spans the silos 

of change, providing an enterprise- 
wide, holistic solution that enables 
organizations to visualize, orchestrate, 
and enforce change events across the 
enterprise. Change Governance allows 
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organizations to understand the impact 
of a change before it happens, translate 
that understanding into effective poli- 
cies and processes, and drive adoption 
of the policies and processes across 

the enterprise. Change will continue 

to confront the organization. But now 
there's a new way to deal with it. Thanks 
to Change Governance solutions from 
Serena, the challenge of change can be 
transformed into an opportunity to make 
the company stronger, more profitable, 
and more competitive. 


Staying ahead in a changing world 
The pace of change isn't going to slow 
down any time soon. In fact, it seems 

as if change is happening faster than 
ever before, driven by the increasingly 
complex nature of the enterprise and 
evolving change events, such as Sar- 
banes-Oxley, for example, that challenge 
today’s enterprise like never before. 
Even beneficial changes, such as growth 
and implementing best practices, can 
interrupt the flow of business and strain 
company resources. And as companies 
respond to the forces driving change 
within the organization, they may find 
that the way in which they respond to 
these changes may in turn fuel more 
change. Given the risks of change 

- unexpected con- 
sequences, rising 
costs, damage to 
quality and ser- 
vice, loss of cus- 
tomers, revenue, 
and reputation 

- it's not surpris- 


Figure 1 


ing that compa- 
nies see change 
as a threat instead 
of an opportunity. 
But responding to 
change proac- 
tively, instead 

of reacting to it 
defensively, can 


Global Ops 


Change 
Event 


make all the difference to the organiza- 
tion. (See figure 1). 


Seeing beyond the silos of change 
Where does change come from? How 
does it spread across the organization? 
In today’s global, distributed enterprise, 
change often starts in silos, areas where 
change is viewed in isolation from the 
rest of the organization. These silos may 
take the form of departments, divisions, 
geographies, or business units. While a 
specific change event may be contained 
and managed within a silo, the common 
frame of reference that enables the com- 
pany to see the impact of the change 
outside the silo, or to integrate the 
change with other activities outside the 
silo, is missing. If change is approached 
in isolation, it can have unforeseen and 
damaging consequences in other areas 
that can impact profitability. For global 
enterprises, an unforeseen change 
managed in a silo in one region can spell 
disaster for departments in satellite 
geographies. According to LiveVault. 
com, unforeseen changes can cost com- 
panies anywhere from $50,000 to $5 
million per hour. And BusinessWeek 
puts the estimated cost of software 
failure to American companies at $85 
billion per year. 
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Eclipse: A Special Supplement 


Recognizing the limits of Software 
Change Management 

In an effort to respond to change more 
effectively, many organizations have 
adopted a software change management 
(SCM) strategy. While SCM solutions can 
be effective in many discrete areas of the 
enterprise, what they lack is what places 
the enterprise at greatest risk: The abil- 
ity to see the enterprise holistically, and 
to understand the impact of change on 
the organization as a whole. In fact, SCM 
solutions may even add to the problem 
by creating silos of change, since it’s 

not uncommon for a single enterprise 

to have numerous SCM tools being used 
within multiple 1T and workgroup silos, 
increasing the complexity of change. 
What's more, SCM solutions focus only 
on application development, ignoring the 
broader needs of the enterprise. 


Turning change into an advantage 
with Change Governance ~ 

Change Governance moves beyond SCM 
solutions with a strategic approach that 
enables the organization to consistently, 
efficiently, and successfully implement 
change, eliminating the fear of disruption 
and negative outcomes. (See figure 2). 


Figure 2 


Change Governance layers 
Visualize, Orchestrate and Enforce 


across enterprise silos 
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Change Governance extends across 
enterprise silos, enabling business and IT 
to share a common frame of reference. 
As aresult, instead of delaying or avoid- 
ing change, change can be approached 
proactively, as an opportunity to 
improve business practices. Change 
Governance eliminates the potential for 
risk while containing or reducing costs, 
maintaining or improving quality, and 
minimizing risk. 


Taking the steps to 

Change Governance 

How does Change Governance work? 
How does it use change as a catalyst for 
transformative business results? 


Visualize 

Change Governance enables the com- 
pany to visualize the impact of a change 
before it happens, so it can plan for 
change from an enterprise perspective. 
The ability to comprehend the impact 
of a change before it is initiated helps to 
mitigate its impact on the organization 
as a whole. 


Orchestrate 

Change Governance provides a phased 
approach to managing change from 
inception through definition, develop- 
ment, implementation, and maintenance. 
This optimizes communication and 
collaboration across process teams, 
increases efficiency, and mitigates risk. 


Enforce 

Change Governance drives adoption 

of policies and processes across the 
enterprise. This ensures that the positive 
effects of change will be consistent and 
long lasting, and standardizes the best 
practices for an effective and ongoing 
response to change events, reducing 
training time, increasing efficiency, and 
improving customer satisfaction. 


Commanding change with Serena 
Serena has been helping companies take 
advantage of change for more than 25 
years. With the broadest platform and 
third-party integration support in the 
industry, Serena offers Change Gover- 
nance solutions that can transform the 
organization. Designed to fit the pace 
and complexity of mid- to large-sized 
enterprises, these solutions and services 
include: 


Application Lifecycle Management (ALM) 
Serena ALM solutions enable Change 
Governance across the application 
lifecycle from inception to implementa- 
tion, through proposed change impact 
analysis, lifecycle process orchestration, 
and enforcement of approved, auditable 
activities within the lifecycle. 


Operations Process Management (OPM) 
Serena OPM solutions enable companies 
to govern critical enterprise processes 
so that they can turn change events into 
a business advantage 


Learn more about Serena Change 
Governance solutions by contacting 
info@serena.com or by visiting our 
website at www.serena.com. 


TM 


Serena Software Inc. 

2755 Campus Drive 

San Mateo CA 94403 USA 

Tel +1-800-547-7827 

Serena is aregistered trademark of Serena Software, 
Inc. Change Governance is a trademark of Serena 
Software, Inc. All other products or company names 
are used for identification purposes only, and may be 
of their respective owners. Copyright © 2006 Serena 


Software, Inc. All rights reserved. 
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SOA Tools 


The Pillars of Eclipse 


ervice-oriented archi- 
tecture (SOA) is a set of 
principles intended for use 
in the design of medium- 
and large-scale software 
systems. These prin- 
ciples include development to a public 
contract, minimizing codependence in 
participating communities, and diversity 
in technology solutions. 

The principles of SOA have been 
enacted in real-world systems for the 


past decade, but only in the last few 
years has the approach come to the level 
of prominence that has turned it into 
one of the major trends in the enterprise 
software industry. 

SOA adopters have taken to the 
approach for a variety of reasons, but 
the main driver as always has been 
economic efficiency. The architectural 
principles of SOA align well with the 
requirement to reuse existing trusted 
and stable software assets. Application 
of SOA ultimately leads to the specifica- 
tion and deployment of a community of 
business-value services, creating new 
and potentially reusable software assets. 

SOA is an architectural approach that 
is technology-independent, but when an 
SOA solution is to be deployed in a busi- 
ness, it must be bound to a particular 
SOA-supporting infrastructure. The con- 
tract-development approach may also 
differ, depending on what the chosen 
SOA infrastructure can support. Bringing 
an SOA solution from the drawing board 
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to reality can be a complicated task, 

and tools are a vital part of the process. 

These tools need to be extensible in 

terms of their supporting technology, yet 

support a similar approach in terms of 
developing the key aspects of the SOA, 
such as contract and policy. Eclipse, with 
its focus on extensibility and commu- 
nity participation, is the ideal place to 
develop the basis for SOA tools. 

The SOA Tools Platform (STP) project 
was initiated to create a core set of 
capabilities that will allow SOA vendors to 
construct tools specific to their tech- 
nology choices. Following the Eclipse 
method, these capabilities will be realized 
in the form of frameworks and exemplary 
extensible tools to cover the diverse 
aspects of designing, constructing, and 
deploying software purposed toward the 
implementation of an SOA solution. 

The STP project has such a diverse 
remit that it hosts five sub-projects: 

* The Core sub-project hosts an exten- 
sible assembly model framework. It is 
used to wire together associated ser- 
vices and is based upon the assembly 
model developed by the Service Com- 
ponent Architecture initiative (http:// 
www.iona.com/devcenter/sca/). 

* The Service Creation sub-project hosts 
frameworks and tools for authoring 
services and contracts. 

* The SOA System sub-project hosts an 
extensible framework for deploying 
multiple services collated as an assem- 
bly to multiple runtimes. 


Tools 


Oisin Hurley, IONA Technologies 


* The B2J sub-project will host tools 
to translate Business Process Execu- 
tion Language (BPEL) to Java classes 
(http://en.wikipedia.org/wiki/BPEL). 

* The BPMN sub-project will host a set 
of tools to model business processes 
using Business Process Modeling 
Notation (http://en.wikipedia.org/wiki/ 
BPMN). 

The sub-projects come together to 
allow the development, assembly, and 
deployment of contract-based services 
to hosting environments, such as Java 
EE (http://java.sun.com/javaee/) and JBI 
(http://en.wikipedia.org/wiki/Java_Busi- 
ness_Integration). 

The SOA Tools Platform project is 
growing, with code contributions being 
delivered to the sub-projects. The next 
steps for the project encompass the 
integration of the sub-projects, based 
upon real-world SOA construction sce- 
narios, the addition of new capabilities as 
required, and the all-important building 
of a community of developers and users 
of the project. 


Project Links: 
http://www.eclipse.org/stp/ 
http://wiki.eclipse.org/index.php/STP 
http://dev.eclipse.org/mhonarc/lists/stp- 
dev/maillist.htm! 
news://news.eclipse.org/eclipse.stp 
(password needed from http://www. 
eclipse.org/newsgroups/register.php) 
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Rich Internet 
Applications 


David Gruber, Adobe Systems 


hile few would ques- 
tion the benefits 
that Internet-based 
applications have 
brought to businesses 
and consumers alike, 
the actual experience of interacting with 
many Web-based applications leaves 
much to be desired, especially when 
compared with the richness and usability 
of the best desktop applications. 

For consumer-oriented applica- 
tions, such as e-commerce, the Web's 
page-based model and lack of client-side 
intelligence can make even relatively 


simple transactions confusing and error 
prone. As aresult, online businesses are 
losing millions of dollars to abandoned 
shopping carts or costly customer ser- 
vice calls. 

For business applications, the 
problem is particularly acute. While the 
Web deployment model has allowed 
IT organizations to reduce the cost of 
software deployment, it has also created 
a community of underserved business 
users that long for a return to the usabil- 
ity and responsiveness of desktop and 
client/server applications. As a result, 
businesses are losing millions of dollars 
per year because of low productivity or 
poor decisions. 

Fortunately, after long focusing on 
the technical challenges of Web-enabling 
their application infrastructure, forward- 
looking IT professionals are now turning 
their attention to design patterns and 
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technologies that can improve the client 
side of the equation. We are now seeing 
widespread deployment of rich Internet 
applications (RIAs), a new class of appli- 
cations that combine the responsiveness 
and interactivity of desktop applications 
with the broad reach and ease of distri- 
bution of the Web. 

Macromedia (now part of Adobe) 
introduced the term rich Internet 
application in 2001 to describe a new 
kind of Internet-based application being 
delivered by the vanguard of the Web 
development community. RIAs com- 
bine best practices in user interaction 
design-for example, avoiding page 
refreshes, expanding information in 
place, and using interactivity and video 
to guide or train users—with sophisti- 
cated use of Web-based technologies to 
deliver a better user experience. 

RIAs are more than just “eye candy"; 
they provide measurable value to 
the enterprise. According to leading 
researchers, adoption of RIA technology 
is accelerating. Forrester Research fore- 
sees “a significant swing in 2006 toward 
the thin client model for enterprise 
application development and deploy- 
ment" (Zetie, C. The Rise of Rich Internet 
Applications. Forrester Research, April 
10, 2006). Gartner believes that by 2010 
more than 60 percent of new projects 
will include RIA technology (Driver, M., 
Valdes, R., Phifer, G. Rich Internet Appli- 
cations Are the Next Evolution of the 
Web. Gartner, May 4, 2005). 


The Pillars of Eclipse 


RIAs can drive increased return on 
investment by simplifying and improving 
the user interaction-enabling users to 
find information more easily, complete 
tasks quickly and accurately, and use 
rich data visualization to make better 
decisions. While consumer-facing sites 
have been the most aggressive adopters 
of RIA technology, many enterprises are 
now moving to apply that technology to 
internal and external business applica- 
tions as well. 

Before realizing these benefits, 
however, IT professionals must navigate 
through a new set of technologies, as 
well as understand the architectural and 
developer skill requirements implied by 
the move toward RIA-style applications. 
RIAs add new architectural challenges, 
such as managing and synchronizing 
local client data, while requiring a new 
set of creative and design tools and 
resources for creating rich user experi- 
ences. 

As RIA technologies quickly advance 
and become available, IT organizations 
will rapidly be able to adopt this exciting 
new approach to delivering more expres- 
sive, more engaging applications that 
drive revenue and productivity. 
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The Pillars of Eclipse 


hen it comes to 
embedded develop- 
ment, the Eclipse 
platform presents 
something of a 
paradox. On the one 
hand, it offers few features that directly 
address the requirements of embed- 
ded system developers. On the other 
hand, the Eclipse platform, together with 
the Eclipse C/C++ development tools 
(CDT) project, serves as the foundation 
for most of the IDEs in the embedded 
market. 

To understand this paradox, consider 
the issue of cross development. By 
default, Eclipse and CDT support self- 
hosted development in which you debug 
and test code directly on your local 
workstation. This approach makes sense 
when developing IT server applications, 
since the workstation host and target 
system typically share the same operat- 
ing system and processor architecture. 
It doesn't apply to embedded develop- 
ment, however, where the host typically 
uses one processor/operating system 
combination (e.g., x86/Linux) and 
the target system uses another (e.g., 
PowerPC/QNX Neutrino). In this case, 
developers need a cross-development 
environment that lets them download, 


debug, and control their applications on 
a remote target. 
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Embedded 
Development 


Likewise, Eclipse doesn't provide the 
tools that embedded developers need to 
optimize concurrent, time-critical appli- 
cations. In desktop development, line 
debugging can address most software 
problems. In embedded development, on 
the other hand, you must often analyze 
the complex interactions of multiple con- 
current tasks and understand how those 
interactions affect the system's ability 
to meet hard deadlines. System-level 
analysis and optimization is key. 

It seems, then, that the Eclipse/CDT 
combination lacks the goods for embed- 
ded development, but nothing could be 
further from the truth. Until the arrival 
of Eclipse and CDT, vendors of embedded 
development tools and realtime operat- 
ing systems (RTOSs) were all reinvent- 
ing-and maintaining-the same wheel. 
Developers all had their own IDEs, their 
own editors, and their own debuggers. 
By providing a comprehensive tooling 
infrastructure, Eclipse and CDT free 
vendors of this burden and allow them 
to concentrate on target-focused tools 
that specifically address the demands 
of embedded developers. For example, 
since moving to a CDT-based develop- 
ment environment in 2002, the RTOS 
vendor QNX Software Systems has 
introduced tools for system profiling, 
application profiling, memory analysis, 
and remote file-system navigation, which 
together provide the target information 
and runtime analyses that embedded 
programmers require. 


Doug Schaefer, ONX Software Systems 


Moreover, Eclipse is much easier 
to extend than traditional embedded 
development environments, providing 
extension points and APIs that are open 
and well documented. This extensibility 
not only allows vendors to plug in their 
own value-added tools, but also allows 
their Eclipse-based environments to sup- 
port popular third-party tools for UML 
modeling, source-code static analysis, 
requirements management, and configu- 
ration management. 

The net result: embedded develop- 
ers no longer have to use one IDE to 
bring up their embedded board, another 
IDE to design or write code, and yet 
another IDE to perform target-system 
analysis. Rather, they can use a single, 
integrated environment for all their 
development activities. This integration 
also allows previously isolated tools to 
share data with each other, without the 
need for manual intervention. The result 
is improved workflow, further allowing 
developers to focus on what's important: 
understanding and optimizing target 
behavior. 
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21st International 
Gonference on 


Object-Oriented 
Programming, Systems, 
Languages, and 
Applications 
OCTOBER 22-26, 2006 


Oregon Convention Center 
Portland, Oregon, USA 


OOPSLA 2006 Contact Information 
Conference Chair: Peri Tarr, IBM Research 
chair@oopsla.org 


Program Chair: William Cook, UT Austin 
papers@oopsla.org 


www.oopsia.org 


PLAN TO ATTEND! 
CRITICAL DATES: 


— September 15, 2006 — 


e Discount for early 
registration ends 


__ October 15, 2006 __ 


e Last day to advance 
register 


— October 22-26, 2006 — 


e Register at OOPLSA 
© Check in 


— While space remains — 


e Submit a 5-minute 
Lightning Talk 


.Check out all the offerings. 


e Get the complete program 
e Online, or PDF 
e www.oopslia.org 


For information, please contact: 
AGM Member Services Department 
1-800-342-6626 (US & Canada) 
+1-212-626-0500 (Global) 
E-mail: info@oopsla.org 

OOPSLA is 


X sponsored by 
) ACM SIGPLAN 
in cooperation 


with SIGSOFT 


CLASSIFIED 


Hewlett-Packard 
Research Scientist 


We are presently looking for Research Scientists in the 
following areas: Document Image Processing, HCI, Embedded 
Operating Systems, Media Streaming, Document Management, 
Digital Publishing, DRM, PC Architectures, Information 
Embedding, Web Services You must have a Doctoral/Post- 
graduate qualification from an international university of 
repute. Please send your resumes by email to:hplindia DOT 
careers AT hp DOT com with the subject line indicating the 
area you are applying for. 


DreamWorks Animation, SKG 
Production Software and Pipeline Developer 


DreamWorks Animation is seeking a production software 
and pipeline developer. Maintain core pipeline systems. 
Design, develop, and support tools and processes which 
extend and enhance the pipeline. To apply, visit us at 
www.dreamworksanimation.com. Click on “Careers” 


Aptima 
Division Director, Human-Systems Integration 


Division Director, Human-Systems Integration Woburn, MA 

or Washington DC Office Join a rapidly growing leader in 

the Human-centered Engineering industry as a member of 

the senior management team. Aptima is seeking a Division 
Director for our Human-Systems Integration Division. The 

HSI Division, one of four in the company, focuses on the 
engineering of complex sociotechnical systems and the design 
and evaluation of technology. Key disciplines include cognitive 
systems engineering, interaction design and data visualization. 
Minimum requirements: Ph.D. or Masters Degree plus six years 
full time post MA/MS technical management experience in 
defense or commercial industry Personnel supervision and 
development experience: Leadership of highly credentialed 
scientific/technical staff of 10 or more Project management 
experience: Full profit/loss and compliance responsibility 

for large complex R&D contracts Business development 
experience: Proven, material success in developing business 
opportunities through lead generation, direct selling, and 
proposal writing. Entrepreneurial experience in growing a 
business or business unit. The Division Director should have 

a background in systems modeling and engineering, user 
interface design and evaluation, and/or data visualization. The 
ideal candidate will have the interpersonal and organizational 
skills to lead a team towards fulfilling corporate objectives 
that he or she will have the opportunity to help shape. 

Aptima will compensate applicants for any travel or relocation 
expenses to fill this position. All applicants must be willing 

to work in one of Aptima’s office locations Monday through 
Friday (no telecommuting or compressed schedules). Qualified 
candidates must submit a cover letter, resume, and publication 
list and salary requirement to aptima_personnel@aptima.com 
No phone calls or employment agencies please. All applicants 
selected will be subject to a government security investigation 
and must meet eligibility requirements for access to classified 
information. Equal Opportunity Employer M/f, Vets/disabled 


Murex North America 
About the Opportunity — Technical Consultant 


This is a great opportunity to get hands-on experience in 
Financial Derivatives software development and implentation. 
Murex North America offers a unique environment that fosters 
individual growth and rewards performance. The staff is close- 
knit and supportive. You’ll get the chance to work with bright, 
highly motivated people. 


Help Murex North America continue to lead the Financial 
Software industry by acting as a Technical Consultant who 
creates and modifies C/C++ programs; confirms project 
requirements; arranges project requirements in programming 
sequence; encodes project requirements; confirms program 
operation and prepares reference for users. 


The core of Murex applications is constantly evolving: 
development of new modules and new financial instruments, 
extension of existing modules in order to adapt them to 

ever increasing requests for new features, trade volumes, 
integration of existing software into electronic trading 
applications, etc. Our component-based architecture and 

our strong reliance on the Java and XML environments have 
prompted us to specialize teams of Java and C/C++ developers 
in component programming and middleware. The components 
covered by these teams are used throughout our solutions, 
from graphical applets, to eCommerce workflows or back-office 
monitoring tools. Integrationists should master the C/C++ and 
Java languages and the structured programming principles, 
and have a decent knowledge of applied mathematics. They 
become progressively experts in financial engineering within 
the teams they have joined. 


Qualifications 

¢ Expert eproblem-solver. Sorts through complex issues and 
conducts comparative analysis of multiple solutions. 

e Advanced C/C++ programming skills, with experience 
working on commercial-grade software projects, complicated 
designs and highly optimized code. 

¢ Unix 

¢ Maintains painstaking attention to detail, completing multiple 
or repetitive tasks. 

¢« Demonstrates a serious commitment to accuracy and quality 
while meeting goals or deadlines. 

¢ Competently analyzes and prioritizes information to make 
appropriate recommendations. 

« Demonstrates persistence. Strives to improve skills and 
achieve goals despite setbacks, obstacles. 

¢ Basic software algorithm design skills. 

¢ Grasp of software development fundamentals. 

¢ Experience performing manual, ad-hoc, and automated 
software testing. 

¢ MS or BA/BS and equivalent experience. 


Continued from page 72 

ting a timeline to address the issues, and putting in place 
longer-term cultural efforts (e.g., education, processes, 
policies) that will help avoid similar issues in the future? 


PG] 

Don’t get me wrong, I’m all for protecting credit card data 
and processing systems. This is something that is com- 
mon sense, but sadly, common sense is by no sense com- 
mon. Because of this, the payment card industry—you 
know, that cartel of card companies such as Visa, Master- 
Card, and American Express—has taken it upon itself to 
mandate compliance with its data security standard. 

The DSS is PCI’s attempt to define what you can and 
cannot do if you are involved in credit card transactions. 
The standard touches on network security, cardholder 
data protection, vulnerability management programs, 
strong access control, network monitoring, and INFOSEC 
(information systems security) policies. If you have had 
any exposure to the notion of information security, you 
know there’s more than one way to address these notions. 

That being said, the PCI DSS is poorly written, defines 
very specific (and sometimes uneducated) technical con- 
trols, and is inconsistently applied. Auditors are forced to 
follow the letter of the law defined by the standard rather 
than the spirit of it, which would make more sense. The 
PCI has been so overbearing about what auditors have to 
do that the Big 4 accounting firms have pulled out of that 
line of business altogether. 

The standard also seems written to be buzzword compli- 
ant and is modeled on Windows-based systems (umm, 
we're a Unix shop). Again, it’s not about having auditors 
trained to find specific implementations that may or may 
not exist on a given platform but rather to have auditors 
trained to understand the issues that arise from a given 
system—what it does, how it does it, and how it addresses 
the standard. Are you looking for a device labeled as a 
firewall or firewall functionality? Are you looking for 
scanning the entire IP space or simply the network con- 
nected to the card processing systems? Are you looking 
for logfiles capturing very specific data for very specific 
events or rather verifying that in the event of an investi- 
gation, it is possible to have accountability of actions? 

Another problem is that the banks that are supposed 
to enforce compliance of merchants for the card com- 
panies are themselves not compliant and don’t really 
understand the problem. How can they approve compen- 
sating controls if they either have bigger problems once 
they receive our data or simply don’t have the experience 
to understand a given technical nuance? 


more queue: www.acmqueue.com 


Fortunately, our systems are architected such that the 
critical bits are segmented off from the rest of the com- 
pany, access controls are in place to get to them, and data 
is handled appropriately. It’s good systems engineering 
that properly identifies the system’s risks (inherent in the 
given application, its users, the data, and the processing), 
considers business and technology constraints, and puts 
it all together. This makes our PCI audit easier. After all, 
isn’t this what it’s all about? Our systems are not perfect— 
there’s no such thing—but they keep the data safe. 


NIRVANA 
Ideally, there should be only one audit per year that vali- 
dates a company’s security requirements and can be used 
to satisfy any or all external stakeholders. These security 
requirements are established based in part on specific 
risks or threats against the company’s business/systems 
and in part on relevant external compliance obligations. 
Systems identified as relevant to these external suitors 
get a calendar-based audit, while all the rest are reviewed 
every four (or so) quarters to ensure they are still doing 
the right thing and addressing potential new standards. 

Passing an audit needn’t be a headache. A well-oiled 
compliance machine is invisible to the product develop- 
ment teams. It all starts with the product development 
culture. Products are defined with risks in mind and how 
to address these risks. Architects put together systems that 
address users, their data, administrators, their access, and 
the interfaces over which all this occurs. Developers write 
fail-safe code and address the usual bits of input valida- 
tion (among other things). Operations personnel deploy 
and manage the systems in a similar fashion. 

Yes, compliance is more than an auditor pester- 
ing developers too many times per year, taking them 
away from their work. If done correctly, compliance is 
ingrained into employees’ minds and is just a part of 
doing business. You can get there with lots of training 
and built-in checks and balances. To me, a world without 
auditors—especially the Big 4—is nirvana. Q 
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ompliance. The mere mention of it brings to mind 

a harrowing list of questions and concerns. For 

example, who is complying and with what? With so 
many standards, laws, angles, intersections, overlaps, and 
consequences, who ultimately gets to determine if you 
are compliant or not? How do you determine what is in 
scope and what is not? And why do you instantly think 
of an audit when you hear the word compliance? 

To see the tangled hairball that is compliance, just 
take a look at my company. It is on the hook for SOX 
(Sarbanes-Oxley Act of 2002), as we are a publicly traded 
company; for a number of banks for the PCI DSS (pay- 
ment card industry data security standard), also known as 
Visa CISP (Cardholder Information Security Program); for 
HIPAA (Health Insurance Portability and Accountability 
Act); for CA 1786 (and all other states’ disclosure laws); 
and for the European Union, its member countries, Japan, 
Korea, and a handful of other countries’ privacy and data 
security laws (these alone could probably spawn an entire 
series of lessons and lectures!). 

The two main compliance obligations, SOX and PCI, 
address similar goals but take approaches that are 180 
degrees apart. SOX doesn’t specify a standard; instead it 
says to use some other established methodology or set of 
practices. PCI, on the other hand, specifies exactly what 
you must do, who can do it, where it applies, and how to 
determine if you are compliant. There should be a happy 
place where both meet. Let’s look at these two individu- 
ally and point out some of their unique problems. 


SOX 

Sarbanes-Oxley—what a pain that was the first time 
around! SOX has a component that addresses the 
integrity of systems involved in reporting numbers to 
the street. It’s this little part of SOX that causes so much 
pain, because depending on the interpretation, it can 
bring non-financial systems into the scope of a financial 
audit. Auditing computer systems, particularly systems 
that are not financial in nature, is an entirely different 
animal than auditing finances and financial systems, and 
the carpet-bombing approach often taken by large audit 
firms to pass the final audit does more harm than good. 
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Don’t let SOX 


AND PCI GET THE 


By carpet bombing I mean 
an all-out approach where 
armies of auditors and 
their handlers (AKA project 
managers) are sent out into 
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the company to try to figure out first what’s in scope and 
to what extent it’s in scope, then to pester those teams 
(for months), mapping what they think is compliant and 
twisting their arms to get them to fit that model before 
the actual audit so that the audit results in a 100 percent 
compliant result. Having auditors (internal and external) 
and compliance project managers in your face for months 
at a time weakens morale and impacts the bottom line. 
Why not instead work through a single touch point that 
bears the brunt of these folks, and let people do their jobs? 
This single touch point would be the only person 
allowed to interface with teams in both directions. This 
person would do the homework to determine the scope 
of the audit, identify the minimum personnel required 
to figure out how the system works, and then take that 
specific system knowledge and translate it into bits that 
the auditors can understand. This way, many months of 
endless meetings with more people than necessary in the 
room could be reduced to just a few weeks of disruption. 
Another problem with SOX is the actual control grid. 
The legislators didn’t specify a standard to follow; they 
left it up to the auditing firms. If this were just a financial 
systems audit, I’d say OK, no problem. It’s not, though. 
You now have inexperienced consultants following some 
sort of checklist that may or may not be applicable, and 
specifying controls that may or may not be relevant. Yes, 
SOX is the domain of the CFO and its auditors, but the 
reality is that the systems it targets are the realm of the 
CIO. Why not instead let the CIO drive SOX compliance 
such that it satisfies requirements set forth by the CFO? 
At the end of the day, it’s about ensuring that the 
systems involved in the revenue stream are secure and 
properly accessed by appropriate personnel. Is it really 
that difficult to assess this? Isn’t is more important to do 
the right long-term thing by identifying issues, finding 
solutions appropriate to the system/environment, get- 
Continued on page 71 
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Einstein who said: 
credibly slow, 
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